firewalld config

Latest response

On a system with one network interface, I want to allow certain services from particular addresses or ranges, without writing a bunch of rich rules. How can I add, say, freeipa-ldap but only from some addresses while allowing ssh from others and allowing https (part of freeipa-ldap) from yet others? This would be trivial with just plain old iptables, but firewalld seems to be extremely limited or poorly documented.

Responses

Firewalld's really just a layer on top of iptables. The firewall-cmd utility allows you to pass "raw" iptables rules through firewalld (see the --direct switch) if you really want/need to ...it's just a little clumsy doing so.

As far as I understand, the "bunch of rich rules" for your example case would be just:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="freeipa-ldap" accept'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" service name="https" accept'

Note that you can peek into /usr/lib/firewalld/services/ and see what the actual definitions of each service are. In this case, freeipa-ldap service is just a list of TCP and UDP ports for firewalld, and https is just TCP port 443. So if you want to allow using just the https part of freeipa-ldap, you can do it by using the "https" service.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html (Rich rules at 4.5.3.1.12.)

https://fedoraproject.org/wiki/Features/FirewalldRichLanguage (A more concise presentation with examples)

Thanks, didn't know I could point rich rules at services! That does help...

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.