Hi,
sometimes is useful to allow connections from a specific combination of of source_address:source_port. For example if you want to allow the icecream[1] autodiscovery service in your local network you would likely want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have services running in well-known ports that use random ports in your local machine to setup connections.
Is there any way to do that in firewalled?
BR
On 11.09.2013 12:18, Sergio Villar Senin wrote:
Hi,
sometimes is useful to allow connections from a specific combination of of source_address:source_port. For example if you want to allow the icecream[1] autodiscovery service in your local network you would likely want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have services running in well-known ports that use random ports in your local machine to setup connections.
Is there any way to do that in firewalled?
It would be awkward if it can't. :) man 5 firewalld.richlanguage
poma
On 11/09/13 13:37, poma wrote:
On 11.09.2013 12:18, Sergio Villar Senin wrote:
Hi,
sometimes is useful to allow connections from a specific combination of of source_address:source_port. For example if you want to allow the icecream[1] autodiscovery service in your local network you would likely want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have services running in well-known ports that use random ports in your local machine to setup connections.
Is there any way to do that in firewalled?
It would be awkward if it can't. :) man 5 firewalld.richlanguage
I've read the richlanguage syntax and still I cannot find the way to specify the source port, because the <port> element is translated to the destination port in the iptables rule and the <source> element only allows to specify the address, not the port.
BR
On 11.09.2013 17:55, Sergio Villar Senin wrote:
On 11/09/13 13:37, poma wrote:
On 11.09.2013 12:18, Sergio Villar Senin wrote:
Hi,
sometimes is useful to allow connections from a specific combination of of source_address:source_port. For example if you want to allow the icecream[1] autodiscovery service in your local network you would likely want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have services running in well-known ports that use random ports in your local machine to setup connections.
Is there any way to do that in firewalled?
It would be awkward if it can't. :) man 5 firewalld.richlanguage
I've read the richlanguage syntax and still I cannot find the way to specify the source port, because the <port> element is translated to the destination port in the iptables rule and the <source> element only allows to specify the address, not the port.
firewall-cmd --permanent --add-rich-rule='rule port port="8765" protocol="udp" family="ipv4" source address="192.168.1.0/24" accept' firewall-cmd --reload firewall-cmd --list-rich-rules
Play with "firewall-config" - firewalld GUI configuration tool, and list result via "firewall-cmd --list-rich-rules", so you'll get an idea how to do it via "firewall-cmd" - firewalld command line client.
man 1 firewall-cmd
poma
On 11/09/13 18:52, poma wrote:
On 11.09.2013 17:55, Sergio Villar Senin wrote:
On 11/09/13 13:37, poma wrote:
On 11.09.2013 12:18, Sergio Villar Senin wrote:
Hi,
sometimes is useful to allow connections from a specific combination of of source_address:source_port. For example if you want to allow the icecream[1] autodiscovery service in your local network you would likely want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have services running in well-known ports that use random ports in your local machine to setup connections.
Is there any way to do that in firewalled?
It would be awkward if it can't. :) man 5 firewalld.richlanguage
I've read the richlanguage syntax and still I cannot find the way to specify the source port, because the <port> element is translated to the destination port in the iptables rule and the <source> element only allows to specify the address, not the port.
firewall-cmd --permanent --add-rich-rule='rule port port="8765" protocol="udp" family="ipv4" source address="192.168.1.0/24" accept' firewall-cmd --reload firewall-cmd --list-rich-rules
As I said in my previous email, and if I understand the language correctly, what you are saying in that rule is that you want to allow udp traffic from _any_ port from 192.168.1.0/24 to my local port 8765.
That's confirmed by iptables:
$ iptables -L IN_work_allow Chain IN_work_allow (1 references) target prot opt source destination ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:8765 ctstate NEW
As you can see the port that is set is the destination port (dpt:8765), but I want to allow communications _only_ from that port, i.e, I want to specify the source port, I don't care about the destination port.
Using again iptables terminology, I want to set the "--sport" not the "--dport"
BR
On 11.09.2013 20:10, poma wrote:
On 11.09.2013 19:13, Sergio Villar Senin wrote:
Using again iptables terminology, I want to set the "--sport" not the "--dport"
OK now I understand what you meant. RFE - firewalld-devel@lists.fedorahosted.org ;)
After a good tazza di caffe, I think I really misread the entire article including the title, haha. Sorry for that, dude. Try to talk to devs at firewalld-devel@lists.fedorahosted.org, and eventuality file a request for enhancement.
poma
firewalld-users@lists.fedorahosted.org