Given an IP address, how can I prevent any connection both to and from that IP? If there are multiple methods, please describe the pros and cons of each.
I've found a lot of contradictory and confusing information about this online and in the documentation.
Thanks for any help!
I was wondering if anybody could tell me how to set up firewalld together
For example a fedora 20 host running a centos6.5 guest.
The guest is using bridge0 which is connected to eth0.
What devices do I need to which zone.
Do the virtual devices like vnet1 and vnet2 need to be added to a zone ?
I keep running into walls here (firewalls to be precise), the only thing I
can find on this subject is 'switch back to iptables'.
But I would like to know how to fix this with firewalld.
Anybody who has any ideas on this ?
I participate on developing SCAP content:
within the SCAP Security Guide project:
Within that  project we develop security compliance guidance for Red Hat
products (content for RHEL-6, RHEL-7, Fedora already exist, content for products
like OpenStack, RHEVM3, JBossEAP5 needs care yet).
Within the process of identification, which parts of existing RHEL-6 content
would require modification when trying to port it to RHEL-7 we identified firewalld
as one of the components, that might require our attention.
FWIW regarding firewall configuration the system administrators situation slightly
changed when considering RHEL-6 and RHEL-7. For the very least, in RHEL-6 there was
system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways
(when not counting direct iptables command usage):
* via system-config-firewall or
* via firewalld.
From the very introductory article:
each of these (system-config-firewall & firewalld) constitute different approaches
to the system's firewall administration / management. Starting from differing
config files (/etc/sysconfig/iptables, /etc/sysconfig/ip6tables for s-c-f vs
the XML format based configuration files in /usr/lib/firewalld/services -- the
services XML templates, and actually honoured configuration present in
/etc/firewalld/services), through the concept of zones, firewalld introduced a
different view at system's firewall administration / management.
Consider the use case:
What we have now are iptables rules defined in the form acceptable / generated
by s-c-f (for RHEL-6). But when checking RHEL-7 system to be security compliant
wrt to firewall settings we will also need to check the newly added config location
(/etc/firewalld/services) if it contains the corresponding rules expressed in the
form as accepted / expected by firewalld.
Have searched the firewalld manual pages deeper and noticed firewalld package
provides firewall-offline-cmd for cases like this (when the firewalld service isn't
running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from
reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it
a way how to specify "order / place" into which the rule would be added into the
XML file? IOW using 0 again second time would mean the second rule would be inserted
before the already existing rule (e.g. the behaviour of -I iptables option) or when
using priority 1 it would be appended instead at the end of the filter table & INPUT
chain of it (e.g. the behaviour would correspond to -A iptables option)?
Another question being -- also noticed firewalld provides concept of "richlanguage"
which allows (at least from what I got) the administrator to define the rules in
the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage
support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
as known / supported by iptables? If yes, what would be the syntax to formulate these
in the richlanguage syntax? To mention some examples, suppose the following two
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would
the usage of firewall-offline-cmd --direct --add-rule be necessary?
Is it possible to commonly express what kind of former iptables rules are possible
to express via richlanguage & what kind of rules require use of firewall-offline-cmd
Thank you in advance for your time & reply.
Jan iankko Lieskovsky / Red Hat Security Technologies Team