What we've looked at so far might be all you'll ever need for general use scenarios, but for more granular control, you'll want to know about rich language rules. (Yes, that really is what they're called.)
Compared to iptables rules, rich language rules are a bit less cryptic and are closer to plain English. So, if you're new to the business of writing firewall rules, you might find rich language a bit easier to learn. On the other hand, if you're already used to writing iptables rules, you might find some elements of the rich language a bit quirky. Let's look at one example:
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="200.192.0.0/24" service name="http" drop'
Here, we're adding a rich rule that blocks website access from an entire geographic block of IPv4 addresses. Note that the entire rule is surrounded by a pair of single quotes, and the assigned value for each parameter is surrounded by a pair of double quotes. With this rule, we're saying that we're working with IPv4 and that we want to silently block the http port from accepting packets from the 200.192.0.0/24 network. We didn't use the --permanent option, so this rule will disappear when we reboot the machine. Let's see what our zone looks like with this new rule:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=dmz
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh http https
ports: 10000/tcp 636/tcp 637/tcp 638/udp
. . .
. . .
rich rules:
rule family="ipv4" source address="200.192.0.0/24" service name="http"
drop
[donnie@localhost ~]$
The rich rule shows up at the bottom. After we've tested this rule to make sure that it does what we need it to do, we'll make it permanent:
sudo firewall-cmd --runtime-to-permanent
You could just as easily write a rule for IPv6 by replacing family="ipv4" with family="ipv6" and supplying the appropriate IPv6 address range.
Some rules are generic and apply to either IPv4 or IPv6. Let's say that we want to log messages about Network Time Protocol (NTP) packets for both IPv4 and IPv6 and that we want to log no more than one message per minute. The command to create that rule would look like this:
sudo firewall-cmd --add-rich-rule='rule service name="ntp" audit limit value="1/m" accept'
There is, of course, a lot more to firewalld rich language rules than we can present here. But for now, you know the basics. For more information, consult the man page:
man firewalld.richlanguage
To read about rich rules, you'll need to go to the documentation page for Red Hat Enterprise Linux 7. What's there also applies to RHEL 8. But even there, there's not much detail. To find out more, see the man page on either RHEL/CentOS 7 or RHEL/CentOS 8.
To make the rule permanent, just use any of the methods that we've already discussed. When you do, the rule will show up in the .xml file for the default zone. In my case, the default zone is still set to public. So, let's look in the /etc/firewalld/zones/public.xml file:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<rule family="ipv4">
<source address="192.168.0.225"/>
<service name="http"/>
<drop/>
</rule>
</zone>
Our rich rule shows up in the rule family block at the bottom of the file.
Now that we've covered what's common between the RHEL/CentOS 7 and the RHEL/CentOS 8 versions of firewalld, let's look at what's particular to each different version.