firewalld config
On a system with one network interface, I want to allow certain services from particular addresses or ranges, without writing a bunch of rich rules. How can I add, say, freeipa-ldap but only from some addresses while allowing ssh from others and allowing https (part of freeipa-ldap) from yet others? This would be trivial with just plain old iptables, but firewalld seems to be extremely limited or poorly documented.
Responses
As far as I understand, the "bunch of rich rules" for your example case would be just:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="freeipa-ldap" accept'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" service name="https" accept'
Note that you can peek into /usr/lib/firewalld/services/ and see what the actual definitions of each service are. In this case, freeipa-ldap service is just a list of TCP and UDP ports for firewalld, and https is just TCP port 443. So if you want to allow using just the https part of freeipa-ldap, you can do it by using the "https" service.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html (Rich rules at 4.5.3.1.12.)
https://fedoraproject.org/wiki/Features/FirewalldRichLanguage (A more concise presentation with examples)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
