firewalld

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
firewalld [2019/10/21 13:02] – [Add/remove rich rules] adminfirewalld [2020/05/17 08:47] (current) – [IPSET] dani
Line 320: Line 320:
 **IMPORTANT:** In this example the rule is not defined permanently! **IMPORTANT:** In this example the rule is not defined permanently!
  
-=== Headline === 
  
 +===== Direct rules =====
 +In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: ''iptables'' or ''nftables'' syntax).
 +
 +<WRAP center round tip 60%>
 +Check, if the rule in that sequence where you expect it (the sequence of rules is very important! You can use ''iptables -S'' or ''nft list ruleset'' to check this out)
 +</WRAP>
 +
 +<WRAP center round important 60%>
 +You should not use direct rules, if you can do the same using other firewalld rules!
 +</WRAP>
 +
 +
 +
 +==== List all active direct rules ====
 +
 +<code bash>
 +firewall-cmd --direct --get-all-rules
 +</code>
 +
 +==== Add a direct rule ====
 +The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:
 +
 +<code bash>
 +firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
 +firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP 
 +</code>
 +
 +Description (based on ''iptables'' backend):
 +
 +<code bash>
 +firewall-cmd --direct --add-rule <protocol> <table (filter, mangle, nat, ...)> <chain> <priority> <arguments> -j <action (DROP, ACCEPT, ...)> 
 +</code>
 +==== Remove a direct rule ====
 +To remove a rich rule, the syntax is the same, except '' --remove-rule'':
 +
 +<code bash>
 +firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
 +firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP 
 +</code>
  
 =====Forwarding ports===== =====Forwarding ports=====
Line 339: Line 377:
  
 =====IPSET===== =====IPSET=====
 +**Very important:** This procedure does not work with ''firewalld'' and ''nftables'' backend!
 +
 To setup a blacklist using ipset, you have to follow this example: To setup a blacklist using ipset, you have to follow this example:
  
   - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>   - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>
-ipset save blockednets > blockednets.ipset +ipset save blockednets > ipsetsavelist.ipset 
-sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create'blockednets+sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create'list
 </code> </code>
   - Create the 'hash:net' ipset hash:<code bash>   - Create the 'hash:net' ipset hash:<code bash>
Line 353: Line 393:
   - Optionally add additional networks:<code bash>   - Optionally add additional networks:<code bash>
 firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24 firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
-</code> 
-  - Optionally check the ipset list:<code bash> 
-firewall-cmd --ipset=blockednets --get-entries 
 </code> </code>
   - Shows the permanent entries in a ipset:<code bash>   - Shows the permanent entries in a ipset:<code bash>
  • firewalld.1571655738.txt.gz
  • Last modified: 2019/10/21 13:02
  • by admin