Differences

This shows you the differences between two versions of the page.

--- firewalld [2019/02/15 17:09] – [General] admin
+++ firewalld [2020/05/17 08:47] (current) – [IPSET] dani
@@ Line 5: / Line 5: @@
 **IMPORTANT:** The agent ''firewalld.service'' must be startet before you can use ''firewall-cmd'' command!
-**NOTE:** To the most arguments, you can add ''--permanent'' option, to list the permanent settings (not dynamic ones!). You can eather use the ''--permanent'' option and then the ``firewall-cmd --reload'' command, or, do the command first with ''--permanent'' option and then do the same command without ''--permanent''.
+**NOTE:** To the most arguments, you can add ''--permanent'' option, to list the permanent settings (not dynamic ones!). You can eather use the ''--permanent'' option and then the ''firewall-cmd --reload'' command, or, do the command first with ''--permanent'' option and then do the same command without ''--permanent'' option.
   * List all options for ''firewall-cmd''<code bash>
@@ Line 319: / Line 319: @@
 **IMPORTANT:** In this example the rule is not defined permanently!
+===== Direct rules =====
+In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: ''iptables'' or ''nftables'' syntax).
+<WRAP center round tip 60%>
+Check, if the rule in that sequence where you expect it (the sequence of rules is very important! You can use ''iptables -S'' or ''nft list ruleset'' to check this out)
+</WRAP>
+<WRAP center round important 60%>
+You should not use direct rules, if you can do the same using other firewalld rules!
+</WRAP>
+==== List all active direct rules ====
+<code bash>
+firewall-cmd --direct --get-all-rules
+</code>
+==== Add a direct rule ====
+The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:
+<code bash>
+firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
+firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
+</code>
+Description (based on ''iptables'' backend):
+<code bash>
+firewall-cmd --direct --add-rule <protocol> <table (filter, mangle, nat, ...)> <chain> <priority> <arguments> -j <action (DROP, ACCEPT, ...)>
+</code>
+==== Remove a direct rule ====
+To remove a rich rule, the syntax is the same, except '' --remove-rule'':
+<code bash>
+firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
+firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
+</code>
 =====Forwarding ports=====
@@ Line 336: / Line 377: @@
 =====IPSET=====
+**Very important:** This procedure does not work with ''firewalld'' and ''nftables'' backend!
 To setup a blacklist using ipset, you have to follow this example:
   - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>
-ipset save blockednets > blockednets.ipset
+ipset save blockednets > ipsetsavelist.ipset
-sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create' > blockednets
+sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create' > list
 </code>
   - Create the 'hash:net' ipset hash:<code bash>
@@ Line 350: / Line 393: @@
   - Optionally add additional networks:<code bash>
 firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
-</code>
-  - Optionally check the ipset list:<code bash>
-firewall-cmd --ipset=blockednets --get-entries
 </code>
   - Shows the permanent entries in a ipset:<code bash>