On Sun, Aug 30, 2020 at 12:08:12AM -0000, Scott A. Wozny wrote:
Can --add-rich-rule be used to add rules to the FORWARD chain?
Not in current releases. I just merged support [1] for this the other day. As such, it will be in the v0.9.0 release which I will probably drop within a week. I want to write a blog about it first.
If you have the time I'd really appreciate some testing on this new feature.
[1]: https://github.com/firewalld/firewalld/pull/639
I’ve got a multi-interface firewall with an “internet” zone and a “webservers” zone. I used nmcli to add the connections to those zones and the results of a --list-all-zones shows me the zones have the correct interfaces. The OS also knows how to get to the web servers from the interface in the internet zone as I can make a port 80 connection from a system in the internet segment when firewalld is off. So, I turned firewalld on and added a rich rule with this command:
sudo firewall-cmd --zone=internet --add-rich-rule='rule family=ipv4 service name=http destination address=10.1.4.2 accept'
The rule takes, but I cannot make a connection from a machine on the “internet” segment to the 10.1.4.2 server, even though I could when firewalld was off. So I took a look at an iptables -S and I see my rich rule was added, but to the IN_internet_ALLOW chain:
-A IN_internet_allow -d 10.1.4.2/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
So, it seemed obvious to me that since the destination was on a network off a different interface within the firewall system it should have been put in the FWDI_internet_allow chain, but it wasn’t. Did I do something wrong or does firewalld not add rich rules to FORWARD chains, when appropriate? I can do this with a direct rule if I need to, but they’re ugly and I’d rather use the “prettiest” command available, when I can.
Also, when writing the rule I tried to use destination ipset=”myipset” (which I've previously declared and put 2 addresses in) but got back a syntax error. Looking through the man pages it appears that ipset can only be used for sources in rich rules.
You are correct. source only.
Am I reading that right and, if so, does anyone have any insight into why the restriction?
I don't think there is any real restriction. Probably only because no one has added support. But with policy objects (linked above) I'm not sure it's useful since the policy can define the "destination".
I can use multiple rules with IPs and / or arrange my addressing so I can use CIDR notation, but ipsets would make the FW ruleset read SO much clearer I thought I’d ask here to see if there was a trick I was missing.
rich rules support CIDR notation.