Can --add-rich-rule be used to add rules to the FORWARD chain? I’ve got a multi-interface firewall with an “internet” zone and a “webservers” zone. I used nmcli to add the connections to those zones and the results of a --list-all-zones shows me the zones have the correct interfaces. The OS also knows how to get to the web servers from the interface in the internet zone as I can make a port 80 connection from a system in the internet segment when firewalld is off. So, I turned firewalld on and added a rich rule with this command:
sudo firewall-cmd --zone=internet --add-rich-rule='rule family=ipv4 service name=http destination address=10.1.4.2 accept'
The rule takes, but I cannot make a connection from a machine on the “internet” segment to the 10.1.4.2 server, even though I could when firewalld was off. So I took a look at an iptables -S and I see my rich rule was added, but to the IN_internet_ALLOW chain:
-A IN_internet_allow -d 10.1.4.2/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
So, it seemed obvious to me that since the destination was on a network off a different interface within the firewall system it should have been put in the FWDI_internet_allow chain, but it wasn’t. Did I do something wrong or does firewalld not add rich rules to FORWARD chains, when appropriate? I can do this with a direct rule if I need to, but they’re ugly and I’d rather use the “prettiest” command available, when I can.
Also, when writing the rule I tried to use destination ipset=”myipset” (which I've previously declared and put 2 addresses in) but got back a syntax error. Looking through the man pages it appears that ipset can only be used for sources in rich rules. Am I reading that right and, if so, does anyone have any insight into why the restriction? I can use multiple rules with IPs and / or arrange my addressing so I can use CIDR notation, but ipsets would make the FW ruleset read SO much clearer I thought I’d ask here to see if there was a trick I was missing.
Thanks,
Scott
On Sun, Aug 30, 2020 at 12:08:12AM -0000, Scott A. Wozny wrote:
Can --add-rich-rule be used to add rules to the FORWARD chain?
Not in current releases. I just merged support [1] for this the other day. As such, it will be in the v0.9.0 release which I will probably drop within a week. I want to write a blog about it first.
If you have the time I'd really appreciate some testing on this new feature.
[1]: https://github.com/firewalld/firewalld/pull/639
I’ve got a multi-interface firewall with an “internet” zone and a “webservers” zone. I used nmcli to add the connections to those zones and the results of a --list-all-zones shows me the zones have the correct interfaces. The OS also knows how to get to the web servers from the interface in the internet zone as I can make a port 80 connection from a system in the internet segment when firewalld is off. So, I turned firewalld on and added a rich rule with this command:
sudo firewall-cmd --zone=internet --add-rich-rule='rule family=ipv4 service name=http destination address=10.1.4.2 accept'
The rule takes, but I cannot make a connection from a machine on the “internet” segment to the 10.1.4.2 server, even though I could when firewalld was off. So I took a look at an iptables -S and I see my rich rule was added, but to the IN_internet_ALLOW chain:
-A IN_internet_allow -d 10.1.4.2/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
So, it seemed obvious to me that since the destination was on a network off a different interface within the firewall system it should have been put in the FWDI_internet_allow chain, but it wasn’t. Did I do something wrong or does firewalld not add rich rules to FORWARD chains, when appropriate? I can do this with a direct rule if I need to, but they’re ugly and I’d rather use the “prettiest” command available, when I can.
Also, when writing the rule I tried to use destination ipset=”myipset” (which I've previously declared and put 2 addresses in) but got back a syntax error. Looking through the man pages it appears that ipset can only be used for sources in rich rules.
You are correct. source only.
Am I reading that right and, if so, does anyone have any insight into why the restriction?
I don't think there is any real restriction. Probably only because no one has added support. But with policy objects (linked above) I'm not sure it's useful since the policy can define the "destination".
I can use multiple rules with IPs and / or arrange my addressing so I can use CIDR notation, but ipsets would make the FW ruleset read SO much clearer I thought I’d ask here to see if there was a trick I was missing.
rich rules support CIDR notation.
Thanks for the reply, Eric. Presently I'm using the 0.6.3-8 version packaged with CentOS 7 and while the new features look exciting, I'm staring down a deadline right now and don't have the cycles to build from source and test.
At present, it seems firewalld is primarily focused on being a host firewall to protect services on the host it's running on and while configuration as a pass-through firewall is possible, configuration seems to mostly be relegated to interaction with iptables to access these features.
I can see why that's so based upon the use cases being mostly driven by being installed on a Linux server and the preponderence of standalone (and often GUI configured) network firewalls in the market, but I'm excited to see further developments of the network / passthrough firewall feature set for virtualized environments.
Thanks,
Scott
________________________________ From: Eric Garver egarver@redhat.com Sent: August 31, 2020 8:49 AM To: Scott A. Wozny sawozny@hotmail.com Cc: firewalld-users@lists.fedorahosted.org firewalld-users@lists.fedorahosted.org Subject: Re: Adding rich rules for forwarded traffic
On Sun, Aug 30, 2020 at 12:08:12AM -0000, Scott A. Wozny wrote:
Can --add-rich-rule be used to add rules to the FORWARD chain?
Not in current releases. I just merged support [1] for this the other day. As such, it will be in the v0.9.0 release which I will probably drop within a week. I want to write a blog about it first.
If you have the time I'd really appreciate some testing on this new feature.
[1]: https://github.com/firewalld/firewalld/pull/639
I’ve got a multi-interface firewall with an “internet” zone and a “webservers” zone. I used nmcli to add the connections to those zones and the results of a --list-all-zones shows me the zones have the correct interfaces. The OS also knows how to get to the web servers from the interface in the internet zone as I can make a port 80 connection from a system in the internet segment when firewalld is off. So, I turned firewalld on and added a rich rule with this command:
sudo firewall-cmd --zone=internet --add-rich-rule='rule family=ipv4 service name=http destination address=10.1.4.2 accept'
The rule takes, but I cannot make a connection from a machine on the “internet” segment to the 10.1.4.2 server, even though I could when firewalld was off. So I took a look at an iptables -S and I see my rich rule was added, but to the IN_internet_ALLOW chain:
-A IN_internet_allow -d 10.1.4.2/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
So, it seemed obvious to me that since the destination was on a network off a different interface within the firewall system it should have been put in the FWDI_internet_allow chain, but it wasn’t. Did I do something wrong or does firewalld not add rich rules to FORWARD chains, when appropriate? I can do this with a direct rule if I need to, but they’re ugly and I’d rather use the “prettiest” command available, when I can.
Also, when writing the rule I tried to use destination ipset=”myipset” (which I've previously declared and put 2 addresses in) but got back a syntax error. Looking through the man pages it appears that ipset can only be used for sources in rich rules.
You are correct. source only.
Am I reading that right and, if so, does anyone have any insight into why the restriction?
I don't think there is any real restriction. Probably only because no one has added support. But with policy objects (linked above) I'm not sure it's useful since the policy can define the "destination".
I can use multiple rules with IPs and / or arrange my addressing so I can use CIDR notation, but ipsets would make the FW ruleset read SO much clearer I thought I’d ask here to see if there was a trick I was missing.
rich rules support CIDR notation.
firewalld-users@lists.fedorahosted.org