CentOS 8.x firewalld rich rules
From Notes_Wiki
<yambe:breadcrumb self="firewalld rich rules">CentOS 8.x firewalld|firewalld</yambe:breadcrumb>
CentOS 8.x firewalld rich rules
Rich rule processing order
Once multiple rules are in place they will be processed in a certain order. Port forwarding and masquerading rules will be applied first, followed by any logging rules, then any allow rules, and finally any deny rules. A packet will use the first rule it applies to in this order, if it does not match a rule it will hit the default deny.
Basics of rich rules
- Allow httpd connection. The rule will be add to default zone
- firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
- firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent
- Reject httpd connection.
- firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" reject'
- Add rich rule to specific zone
- firewall-cmd --zone=home --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
- To list the rich rules
- firewall-cmd --permanent --zone=home --list-rich-rule
- Remove rich rule
- firewall-cmd --zone=home --remove-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept --permanent
- Rich rules can also be used to rate limit traffic, here we limit incoming SSH connections to 10 per minute.
- firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=10/m accept'
Some examples for Rich Rule
- Allowing traffic from the range 10.0.0.0/24 into only 192.168.0.10/32 through TCP ports 8080 through to 8090.
- firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept' success
- In this instance we can specify a specific source address within the test zone rather than the whole zone.
- firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=22 protocol=tcp to-port=2222 to-addr=10.0.0.10'
Masquerading with Rich rules
- To check if IP masquerading is enabled
- firewall-cmd --zone=public --query-masquerade
- To enable IP masquerading
- firewall-cmd --zone=public --add-masquerade
- In this example any packet sent to addresses defined in the zone ‘testing’ will be masqueraded
- firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'
Some test cases
- Allow Telnet connection only from 192.168.1.50/32. Limit this connection one per minute. Drop Telnet connection from remaining hosts
- firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.50/32 service name=telnet limit value=1/m accept'
- Allow SSH connection from network 192.168.1.0/24. Log each access with "SSH Access" prefix"
- firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh log prefix="SSH Access" level= "notice" accept'
- Allow FTP connection only from 192.168.1.2/24. Reject FTP connections from remaining systems
- firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.2/32 port port=21 protocol=tcp accept'
- Reject ping requests from all hosts with error message.
- firewall-cmd --add-rich-rule='rule protocol value=icmp reject'
Rich rules timeout option
- For testing and debugging purpose we can use --timeout option which will remove the rule automatically after the specified time. For examples Following rule will be automatically removed after 60 seconds
- firewall-cmd --add-rich-rule=’rule protocol value=”icmp” reject’ --timeout=60
Rich Rule Log Command
- Log httpd acess
- firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.50/32" service name="http" log prefix="httpd_" level="debug" accept'
- You can check logs in "/var/log/messages"
Refer:
Steps contributed by Pavan Ponamala
<yambe:breadcrumb self="firewalld rich rules">CentOS 8.x firewalld|firewalld</yambe:breadcrumb>