Persistence Problems with --permanent firewalld Rules?
I'm in the process of working through the (draft 2) STIG rules for RHEL 7. One rule (RHEL-07-040250) states that I need to verify that rate-limiting is in place for inbound connection attempts. That, if I execute firewall-cmd --direct --get-rule ipv4 filter IN_public_allow, i should find both a --limit and a --limit-burst token. If I find no such rule returned upon executing firewall-cmd --direct --get-rule ipv4 filter IN_public_allow that I should insert a suitable rule. The specific recommendation in the STIG is firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT. Wanting my rule to persist across boots (or even restarts of the firewalld service) I opted to amend that by also executing firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT.
Making this amendment, I end up with a /etc/firewalld/direct.xml with the following contents:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="0" table="filter" ipv="ipv4" chain="IN_public_allow">-m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</rule>
</direct>
All seems good. However, if I reboot my system (or even just reload my firewalld configuration), it seems that the service is ignoring this file. When I rerun my rule presence-check (firewall-cmd --direct --get-rule ipv4 filter IN_public_allow), it return null rather than the 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT I expect.
Is this a bug or am I doing something "not quite right". I'll fully admit that I'm unfamiliar with firewalld. I know how I would do stuff in bare iptables, but the STIGs mandate the use of firewalld.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
