I have set up firewalld to forward any incoming udp port 162 traffic to a remote server. I would like to add a second rule to forward udp port 162 traffic from a specific source IP to a different destination address, but it seems it will only match the first rule it finds.
Is this possible?
On Thu, Nov 15, 2018 at 01:18:49PM -0000, Steven Schroeder wrote:
I have set up firewalld to forward any incoming udp port 162 traffic to a remote server. I would like to add a second rule to forward udp port 162 traffic from a specific source IP to a different destination address, but it seems it will only match the first rule it finds.
Is this possible?
Yes, it's possible. The problem is your first rich rule is a "catch-all". It should work if you add the more specific rich rule first.
e.g.
rule family="ipv4" source address="<special IP>" forward-port port="162" protocol="tcp" to-port="<dest port>" to-addr="<dest IP>" rule family="ipv4" forward-port port="162" protocol="tcp" to-port="<dest port>" to-addr="<dest IP>"
The problem is that I receive traps from hundreds of subnets that need to be forwarded to our noc and they are always adding new subnets, so the catch-all was an attempt to not have to worry about missing traps to the noc when new subnets are turned up.
Select subnets within those hundreds of subnets have to also forward to a second destination IP.
This is what i have in place as of this morning, the first rule is sending all traps received to the noc. I added the second rule which stops traps from being sent to the noc, but does forward to the second destination, which is good, but I still need that to go to the noc as well.
rule family="ipv6" source address="::/0" forward-port port="162" protocol="udp" to-addr="2001::1:2:3:X:X:X:X" <-- this is the catch all to the noc
rule family="ipv6" source address="2001:x:x:x:x:209::" forward-port port="162" protocol="udp" to-addr="2001:4:5:6:X:X:X:X" <-- send to the second destination, but stops from sending to the noc
On Thu, Nov 15, 2018 at 03:20:38PM -0000, Steven Schroeder wrote:
The problem is that I receive traps from hundreds of subnets that need to be forwarded to our noc and they are always adding new subnets, so the catch-all was an attempt to not have to worry about missing traps to the noc when new subnets are turned up.
Select subnets within those hundreds of subnets have to also forward to a second destination IP.
This is what i have in place as of this morning, the first rule is sending all traps received to the noc. I added the second rule which stops traps from being sent to the noc, but does forward to the second destination, which is good, but I still need that to go to the noc as well.
Are you saying that you need to duplicate the packet to both the noc and the second destination? That's not possible with firewalld rich rules.
It sounds like you want something like iptables TEE extension, in which case you'll have to use --direct rules. See the iptables-extensions man page.
Correct, but specific IP/subnets would only go to the second destination.
Thank you for your suggestion, let me look into that.
firewalld-users@lists.fedorahosted.org