Can --add-rich-rule be used to add rules to the FORWARD chain? I’ve got a multi-interface firewall with an “internet” zone and a “webservers” zone. I used nmcli to add the connections to those zones and the results of a --list-all-zones shows me the zones have the correct interfaces. The OS also knows how to get to the web servers from the interface in the internet zone as I can make a port 80 connection from a system in the internet segment when firewalld is off. So, I turned firewalld on and added a rich rule with this command:
sudo firewall-cmd --zone=internet --add-rich-rule='rule family=ipv4 service name=http destination address=10.1.4.2 accept'
The rule takes, but I cannot make a connection from a machine on the “internet” segment to the 10.1.4.2 server, even though I could when firewalld was off. So I took a look at an iptables -S and I see my rich rule was added, but to the IN_internet_ALLOW chain:
-A IN_internet_allow -d 10.1.4.2/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
So, it seemed obvious to me that since the destination was on a network off a different interface within the firewall system it should have been put in the FWDI_internet_allow chain, but it wasn’t. Did I do something wrong or does firewalld not add rich rules to FORWARD chains, when appropriate? I can do this with a direct rule if I need to, but they’re ugly and I’d rather use the “prettiest” command available, when I can.
Also, when writing the rule I tried to use destination ipset=”myipset” (which I've previously declared and put 2 addresses in) but got back a syntax error. Looking through the man pages it appears that ipset can only be used for sources in rich rules. Am I reading that right and, if so, does anyone have any insight into why the restriction? I can use multiple rules with IPs and / or arrange my addressing so I can use CIDR notation, but ipsets would make the FW ruleset read SO much clearer I thought I’d ask here to see if there was a trick I was missing.
Thanks,
Scott