firewalld rich language rules

What we've looked at so far might be all you'll ever need for general use scenarios, but for more granular control, you'll want to know about rich language rules. (Yes, that really is what they're called.)

Compared to iptables rules, rich language rules are a bit less cryptic, and are closer to plain English. So, if you're new to the business of writing firewall rules, you might find rich language a bit easier to learn. On the other hand, if you're already used to writing iptables rules, you might find some elements of rich language a bit quirky. Let's look at one example:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="200.192.0.0/24" service name="http" drop'

So, we're adding a rich rule. Note that the entire rule is surrounded by a pair of single quotes, and the assigned value for each parameter is surrounded by a pair of double quotes. With this rule, we're saying that we're working with IPv4, and that we want to silently block the http port from accepting packets from the 200.192.0.0/24 network. We didn't use the --permanent option, so this rule will disappear when we reboot the machine. Let's see what our zone looks like with this new rule:

[donnie@localhost ~]$ sudo firewall-cmd --info-zone=dmz
[sudo] password for donnie:
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: ssh http https
  ports: 10000/tcp 636/tcp 637/tcp 638/udp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="200.192.0.0/24" service name="http" drop
[donnie@localhost ~]$

The rich rule shows up at the bottom. After we've tested this rule to make sure that it does what we need it to do, we'll make it permanent:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="200.192.0.0/24" service name="http" drop'

sudo firewall-cmd --reload

You could just as easily write a rule for IPv6 by replacing family="ipv4" with family="ipv6", and supplying the appropriate IPv6 address range.

Some rules are generic, and apply to either IPv4 or IPv6. Let's say that we want to log messages about Network Time Protocol (NTP) packets, and you want to log no more than one message per minute. The command to create that rule would look like this:

sudo firewall-cmd --permanent --add-rich-rule='rule service name="ntp" audit limit value="1/m" accept'

There is, of course, a lot more to firewalld rich language rules than we can present here. But, you at least now know the basics. For more information, consult the man page:

man firewalld.richlanguage
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.109.141