firewalld

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
firewalld [2019/10/22 08:28] – [Direct rules] adminfirewalld [2020/05/17 08:47] (current) – [IPSET] dani
Line 323: Line 323:
 ===== Direct rules ===== ===== Direct rules =====
 In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: ''iptables'' or ''nftables'' syntax). In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: ''iptables'' or ''nftables'' syntax).
 +
 +<WRAP center round tip 60%>
 +Check, if the rule in that sequence where you expect it (the sequence of rules is very important! You can use ''iptables -S'' or ''nft list ruleset'' to check this out)
 +</WRAP>
 +
 +<WRAP center round important 60%>
 +You should not use direct rules, if you can do the same using other firewalld rules!
 +</WRAP>
 +
 +
  
 ==== List all active direct rules ==== ==== List all active direct rules ====
Line 331: Line 341:
  
 ==== Add a direct rule ==== ==== Add a direct rule ====
-The syntax how-to add a direct rule is quite similar to the liable firewall (iptables, ebtables or nftables). Here an example:+The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:
  
 <code bash> <code bash>
Line 338: Line 348:
 </code> </code>
  
 +Description (based on ''iptables'' backend):
 +
 +<code bash>
 +firewall-cmd --direct --add-rule <protocol> <table (filter, mangle, nat, ...)> <chain> <priority> <arguments> -j <action (DROP, ACCEPT, ...)> 
 +</code>
 ==== Remove a direct rule ==== ==== Remove a direct rule ====
-To remove a rich rule, the syntax is the same, except ''--remove-rule'':+To remove a rich rule, the syntax is the same, except '' --remove-rule'':
  
 <code bash> <code bash>
Line 362: Line 377:
  
 =====IPSET===== =====IPSET=====
 +**Very important:** This procedure does not work with ''firewalld'' and ''nftables'' backend!
 +
 To setup a blacklist using ipset, you have to follow this example: To setup a blacklist using ipset, you have to follow this example:
  
   - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>   - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>
-ipset save blockednets > blockednets.ipset +ipset save blockednets > ipsetsavelist.ipset 
-sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create'blockednets+sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create'list
 </code> </code>
   - Create the 'hash:net' ipset hash:<code bash>   - Create the 'hash:net' ipset hash:<code bash>
Line 376: Line 393:
   - Optionally add additional networks:<code bash>   - Optionally add additional networks:<code bash>
 firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24 firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
-</code> 
-  - Optionally check the ipset list:<code bash> 
-firewall-cmd --ipset=blockednets --get-entries 
 </code> </code>
   - Shows the permanent entries in a ipset:<code bash>   - Shows the permanent entries in a ipset:<code bash>
  • firewalld.1571725698.txt.gz
  • Last modified: 2019/10/22 08:28
  • by admin