[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Firewalld rich rule sanity check



When I've added an IP range I've done it like:
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source  address="192.168.0.80/28" port port="80" protocol="tcp" accept' --permanent

Where public was the firewalld default active zone.   You can define different zones for different NCIs so you may want to check the zone(s) assigned to your NIC(s) as it is important.   A key thing to know is you don't tell firewalld which NIC is in which zone - instead, you define the zone within the NIC's config.   (At least for RedHat derived OSes such as RHEL, Fedora and CentOS)

-----Original Message-----
From: Ale <ale-bounces at ale.org> On Behalf Of Beddingfield, Allen via Ale
Sent: Tuesday, December 03, 2019 12:03 PM
To: Atlanta Linux Enthusiasts <ale at ale.org>
Subject: [ale] Firewalld rich rule sanity check

I'm wondering about syntax for firewalld rich rules.
For example, if I want to allow 192.168.0.80 through 192.168.0.95
.81-.94 would be the start and end addresses of 192.168.0.80/28

Could I do:
firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent

Or, would it be an issue that I am explicitly defining a rule for what would be the network and broadcast address of a subnet I've defined in another rule?
Am I going to have to do one rich rule per-ip?

Ideally, I would like to be able to just specify a range of IP addresses, the way I used to be able to do pre-firewalld, but I can't find a way to do that (192.168.0.80:192.168.0.95).

One rule per ip wouldn't be that big of a deal for the example above, but I have a situation where a vendor has provided a huge list of ip ranges to whitelist that don't cleanly fall along subnet boundaries.  Some are close, but none are exact.

Thanks.
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu
_______________________________________________
Ale mailing list
Ale at ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo