CentOS 8.x firewalld rich rules

From Notes_Wiki
Revision as of 03:34, 19 April 2022 by Saurabh (talk | contribs)

Home > CentOS > CentOS 8.x > System Administration > firewalld > Rich rules

Rich rule processing order

Once multiple rules are in place they will be processed in a certain order. Port forwarding and masquerading rules will be applied first, followed by any logging rules, then any allow rules, and finally any deny rules. A packet will use the first rule it applies to in this order, if it does not match a rule it will hit the default deny.


Basics of rich rules

  • Allow httpd connection. The rule will be add to default zone
    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent


  • Reject httpd connection.
    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" reject'


  • Add rich rule to specific zone
    firewall-cmd --zone=home --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'


  • To list the rich rules
    firewall-cmd --permanent --zone=home --list-rich-rule


  • Remove rich rule
    firewall-cmd --zone=home --remove-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept --permanent


  • Rich rules can also be used to rate limit traffic, here we limit incoming SSH connections to 10 per minute.
    firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=10/m accept'



Some examples for Rich Rule

  • Allowing traffic from the range 10.0.0.0/24 into only 192.168.0.10/32 through TCP ports 8080 through to 8090.
    firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept' success


  • In this instance we can specify a specific source address within the test zone rather than the whole zone.
    firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=22 protocol=tcp to-port=2222 to-addr=10.0.0.10'


Masquerading with Rich rules

  • To check if IP masquerading is enabled
    firewall-cmd --zone=public --query-masquerade


  • To enable IP masquerading
    firewall-cmd --zone=public --add-masquerade


  • In this example any packet sent to addresses defined in the zone ‘testing’ will be masqueraded
    firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'


Some test cases

  • Allow Telnet connection only from 192.168.1.50/32. Limit this connection one per minute. Drop Telnet connection from remaining hosts
    firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.50/32 service name=telnet limit value=1/m accept'


  • Allow SSH connection from network 192.168.1.0/24. Log each access with "SSH Access" prefix"
    firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh log prefix="SSH Access" level= "notice" accept'


  • Allow FTP connection only from 192.168.1.2/24. Reject FTP connections from remaining systems
    firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.2/32 port port=21 protocol=tcp accept'


  • Reject ping requests from all hosts with error message.
    firewall-cmd --add-rich-rule='rule protocol value=icmp reject'


Rich rules timeout option

  • For testing and debugging purpose we can use --timeout option which will remove the rule automatically after the specified time. For examples Following rule will be automatically removed after 60 seconds
    firewall-cmd --add-rich-rule=’rule protocol value=”icmp” reject’ --timeout=60


Rich Rule Log Command

  • Log httpd acess
    firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.50/32" service name="http" log prefix="httpd_" level="debug" accept'
    You can check logs in "/var/log/messages"


Refer:


Steps contributed by Pavan Ponamala



Home > CentOS > CentOS 8.x > System Administration > firewalld > Rich rules