5.15. Configuring Complex Firewall Rules with the "Rich Language" Syntax

With the rich language syntax, complex firewall rules can be created in a way that is easier to understand than the direct-interface method. In addition, the settings can be made permanent. The language uses keywords with values and is an abstract representation of iptables rules. Zones can be configured using this language; the current configuration method will still be supported.

5.15.1. Formatting of the Rich Language Commands

All the commands in this section need to be run as root. The format of the command to add a rule is as follows:
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used. If a timeout is supplied, the rule or rules only stay active for the amount of time specified and will be removed automatically afterwards. The time value can be followed by s (seconds), m (minutes), or h (hours) to specify the unit of time. The default is seconds.
To remove a rule:
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will remove a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used.
To check if a rule is present:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will return whether a rich language rule rule has been added for the zone zone. The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise. If the zone is omitted, the default zone is used.
For information about the rich language representation used in the zone configuration files, see the firewalld.zone(5) man page.

5.15.2. Understanding the Rich Rule Structure

The format or structure of the rich rule commands is as follows:
rule [family="rule family"]
    [ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ]
    [ destination [NOT] address="address" ]
    [ element ]
    [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
    [ audit ]
    [ action ]

Note

The structure of the rich rule in the file uses the NOT keyword to invert the sense of the source and destination address commands, but the command line uses the invert="true" option.
A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.

5.15.3. Understanding the Rich Rule Command Options

family
If the rule family is provided, either ipv4 or ipv6, it limits the rule to IPv4 or IPv6, respectively. If the rule family is not provided, the rule is added for both IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family needs to be provided. This is also the case for port forwarding.

Source and Destination Addresses

source
By specifying the source address, the origin of a connection attempt can be limited to the source address. A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. For IPv4, the mask can be a network mask or a plain number. For IPv6, the mask is a plain number. The use of host names is not supported. It is possible to invert the sense of the source address command by adding the NOT keyword; all but the supplied address matches.
A MAC address and also an IP set with type hash:mac can be added for IPv4 and IPv6 if no family is specified for the rule. Other IP sets need to match the family setting of the rule.
destination
By specifying the destination address, the target can be limited to the destination address. The destination address uses the same syntax as the source address for IP address or address ranges. The use of source and destination addresses is optional, and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses, for example, in service entries. You can combine destination and action.

Elements

The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block, forward-port, and source-port.
service
The service element is one of the firewalld provided services. To get a list of the predefined services, enter the following command:
~]$ firewall-cmd --get-services
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast. The command takes the following form:
service name=service_name
port
The port element can either be a single port number or a port range, for example, 5060-5062, followed by the protocol, either as tcp or udp. The command takes the following form:
port port=number_or_range protocol=protocol
protocol
The protocol value can be either a protocol ID number or a protocol name. For allowed protocol entries, see /etc/protocols. The command takes the following form:
protocol value=protocol_name_or_ID
icmp-block
Use this command to block one or more ICMP types. The ICMP type is one of the ICMP types firewalld supports. To get a listing of supported ICMP types, enter the following command:
~]$ firewall-cmd --get-icmptypes
Specifying an action is not allowed here. icmp-block uses the action reject internally. The command takes the following form:
icmp-block name=icmptype_name
masquerade
Turns on IP masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. Specifying an action is not allowed here.
forward-port
Forward packets from a local port with protocol specified as tcp or udp to either another port locally, to another machine, or to another port on another machine. The port and to-port can either be a single port number or a port range. The destination address is a simple IP address. Specifying an action is not allowed here. The forward-port command uses the action accept internally. The command takes the following form:
forward-port port=number_or_range protocol=protocol /
            to-port=number_or_range to-addr=address
source-port
Matches the source port of the packet - the port that is used on the origin of a connection attempt. To match a port on current machine, use the port element. The source-port element can either be a single port number or a port range (for example, 5060-5062) followed by the protocol as tcp or udp. The command takes the following form:
source-port port=number_or_range protocol=protocol

Logging

log
Log new connection attempts to the rule with kernel logging, for example, in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of emerg, alert, crit, error, warning, notice, info, or debug. The use of log is optional. It is possible to limit logging as follows:
log [prefix=prefix text] [level=log level] limit value=rate/duration
The rate is a natural positive number [1, ..], with the duration of s, m, h, d. s means seconds, m means minutes, h means hours, and d days. The maximum limit value is 1/d, which means at maximum one log entry per day.
audit
Audit provides an alternative way for logging using audit records sent to the service auditd. The audit type can be one of ACCEPT, REJECT, or DROP, but it is not specified after the command audit as the audit type will be automatically gathered from the rule action. Audit does not have its own parameters, but limit can be added optionally. The use of audit is optional.

Action

accept|reject|drop|mark
An action can be one of accept, reject, drop, or mark. The rule can only contain an element or a source. If the rule contains an element, then new connections matching the element will be handled with the action. If the rule contains a source, then everything from the source address will be handled with the action specified.
accept | reject [type=reject type] | drop | mark set="mark[/mask]"
With accept, all new connection attempts will be granted. With reject, they will be rejected and their source will get a reject message. The reject type can be set to use another value. With drop, all packets will be dropped immediately and no information is sent to the source. With mark all packets will be marked with the given mark and the optional mask.

5.15.4. Using the Rich Rule Log Command

Logging can be done with the Netfilter log target and also with the audit target. A new chain is added to all zones with a name in the format zone_log, where zone is the zone name. This is processed before the deny chain to have the proper ordering. The rules or parts of them are placed in separate chains, according to the action of the rule, as follows:
zone_log
			zone_deny
			zone_allow
All logging rules will be placed in the zone_log chain, which will be parsed first. All reject and drop rules will be placed in the zone_deny chain, which will be parsed after the log chain. All accept rules will be placed in the zone_allow chain, which will be parsed after the deny chain. If a rule contains log and also deny or allow actions, the parts of the rule that specify these actions are placed in the matching chains.

5.15.4.1. Using the Rich Rule Log Command Example 1

Enable new IPv4 and IPv6 connections for authentication header protocol AH:
rule protocol value="ah" accept

5.15.4.2. Using the Rich Rule Log Command Example 2

Allow new IPv4 and IPv6 connections for protocol FTP and log 1 per minute using audit:
rule service name="ftp" log limit value="1/m" audit accept

5.15.4.3. Using the Rich Rule Log Command Example 3

Allow new IPv4 connections from address 192.168.0.0/24 for protocol TFTP and log 1 per minute using syslog:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept

5.15.4.4. Using the Rich Rule Log Command Example 4

New IPv6 connections from 1:2:3:4:6:: for protocol RADIUS are all rejected and logged at a rate of 3 per minute. New IPv6 connections from other sources are accepted:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept

5.15.4.5. Using the Rich Rule Log Command Example 5

Forward IPv6 packets received from 1:2:3:4:6:: on port 4011 with protocol TCP to 1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"

5.15.4.6. Using the Rich Rule Log Command Example 6

Whitelist a source address to allow all connections from this source.
rule family="ipv4" source address="192.168.2.2" accept
See the firewalld.richlanguage(5) man page for more examples.