Hi, I have a fedora23 system and just starting to learn how firewalld works. None of the documentation really discusses how to add rules from a specific source (the -s option with iptables).
Is this not what firewalld was intended to do?
How do I restrict access to ssh or dns only from specific remote IP addresses?
I've found the "rich" rules, but if I have to create rules at the port level without any association to the service, then I don't understand the point of using it. In other words, it appears necessary to add additional manual rules, while also having to "--add-service=dns" instead of the dns service taking care of it all in the first place.
In other words, to create a "rich" rule for dns, it appears necessary to do:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=53 protocol="tcp" accept' --permanent firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=53 protocol="udp" accept' --permanent
and that also doesn't provide the ability to control the "state" of the packets.
Thanks for any ideas. Alex
I'm not sure if I completely understand what you're asking but as far as I know (unless it's changed) firewalld can't handle source ports, only destination ports.
I have a home build DVR where I use HDHomeRun network based tuners. For them the source port is specified and the destination port it random (coming back to the computer) and after some research found that they could not be used with firewalld because of it so I had to switch back to iptables with something like:
-A INPUT -m state --state NEW -m udp -p udp --sport 5002 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --sport 5004 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --sport 65001 -j ACCEPT
Thanks, Richard
On 17 Jan 2016 16:28, "Alex" mysqlstudent@gmail.com wrote:
Hi, I have a fedora23 system and just starting to learn how firewalld works. None of the documentation really discusses how to add rules from a specific source (the -s option with iptables).
Is this not what firewalld was intended to do?
How do I restrict access to ssh or dns only from specific remote IP
addresses?
Create a zone for that source network and then apply the rules to that.
Have a read of this and see if it helps clear a few things up:
Hi,
On Mon, Jan 18, 2016 at 2:55 AM, James Hogarth james.hogarth@gmail.com wrote:
On 17 Jan 2016 16:28, "Alex" mysqlstudent@gmail.com wrote:
Hi, I have a fedora23 system and just starting to learn how firewalld works. None of the documentation really discusses how to add rules from a specific source (the -s option with iptables).
Is this not what firewalld was intended to do?
How do I restrict access to ssh or dns only from specific remote IP addresses?
Create a zone for that source network and then apply the rules to that.
Have a read of this and see if it helps clear a few things up:
Okay, that's interesting. So it's possible to apply multiple zones to a single interface? How would you suggest I structure that? In other words, create a "ssh" zone where the only service is ssh, then add all the source addresses that are permitted to ssh to my host to that zone?
I'm trying to do the iptables equivalent of:
-A INPUT -s 192.168.1.0/24,192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A INPUT -s 192.168.1.0/24,192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
You've provided some great examples at the end, but any guidance on how to get started with what I've written above would be appreciated.
Do you know if firewalld works with NetworkManager properly in fc23? I'm now learning that because I use kvm/qemu for virtual machines, and apparently must disable NetworkManager still, that I can't also use firewalld. I learned this from an older article, but I've been having problems with NetworkManager and bridges and thought it might be related.
Thanks, Alex
On 19 Jan 2016 02:19, "Alex" mysqlstudent@gmail.com wrote:
Hi,
On Mon, Jan 18, 2016 at 2:55 AM, James Hogarth james.hogarth@gmail.com
wrote:
On 17 Jan 2016 16:28, "Alex" mysqlstudent@gmail.com wrote:
Hi, I have a fedora23 system and just starting to learn how firewalld works. None of the documentation really discusses how to add rules from a specific source (the -s option with iptables).
Is this not what firewalld was intended to do?
How do I restrict access to ssh or dns only from specific remote IP addresses?
Create a zone for that source network and then apply the rules to that.
Have a read of this and see if it helps clear a few things up:
Okay, that's interesting. So it's possible to apply multiple zones to a single interface? How would you suggest I structure that? In other words, create a "ssh" zone where the only service is ssh, then add all the source addresses that are permitted to ssh to my host to that zone?
I'm trying to do the iptables equivalent of:
-A INPUT -s 192.168.1.0/24,192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A INPUT -s 192.168.1.0/24,192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
You've provided some great examples at the end, but any guidance on how to get started with what I've written above would be appreciated.
Do you know if firewalld works with NetworkManager properly in fc23? I'm now learning that because I use kvm/qemu for virtual machines, and apparently must disable NetworkManager still, that I can't also use firewalld. I learned this from an older article, but I've been having problems with NetworkManager and bridges and thought it might be related.
Whatever article that is sounds mostly nonsense.
NM works fine with firewalld and with libvirt (kvm) ... And they all work independently of each other too.
When doing a network subnet based zone you don't apply it to an interface as it's network based.
So you'd create a zone for "finance" or whatever you want to call what defines that subnet. Then you'd add the network source subnet to it so that it gets used. Then you'd apply your rules (such as --add-service https)
If you're struggling a bit with NM and bridges I also have an NM article on the site that covers using nmcli for this.
Don't forget there is a new iproute2 command for bridges that is very useful at checking their status - bridge link <foo> will tell you what links are in the bridge and whether STP results in the link in a listening, blocking or forwarding state.
Last week I was talking to someone who was convinced their NM bridge was broken... Then with that we saw it was up and forwarding and the problem lay elsewhere (cabling) ;)
-
Alex -
James Hogarth -
Richard Shaw