Red Hat Customer Portal - Access to 24x7 support and knowledge

I'm in the process of working through the (draft 2) STIG rules for RHEL 7. One rule (RHEL-07-040250) states that I need to verify that rate-limiting is in place for inbound connection attempts. That, if I execute

firewall-cmd --direct --get-rule ipv4 filter IN_public_allow

, i should find both a

--limit

and a

--limit-burst

token. If I find no such rule returned upon executing

firewall-cmd --direct --get-rule ipv4 filter IN_public_allow

that I should insert a suitable rule. The specific recommendation in the STIG is

firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

. Wanting my rule to persist across boots (or even restarts of the firewalld service) I opted to amend that by also executing

firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

Making this amendment, I end up with a

/etc/firewalld/direct.xml

with the following contents:



  -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

All seems good. However, if I reboot my system (or even just reload my firewalld configuration), it seems that the service is ignoring this file. When I rerun my rule presence-check (

firewall-cmd --direct --get-rule ipv4 filter IN_public_allow

), it return null rather than the

0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

I expect.

Is this a bug or am I doing something "not quite right". I'll fully admit that I'm unfamiliar with firewalld. I know how I would do stuff in bare iptables, but the STIGs mandate the use of firewalld.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Persistence Problems with --permanent firewalld Rules?

Responses

Quick Links

Help

Site Info

Related Sites

Red Hat legal and privacy links

Red Hat legal and privacy links