On our WISP, we have a WAN with about a dozen subnets in the 172.16.x.x space. I have a small server on the 172.16.10.x subnet, statically configured.
Let's say I want to open 5201/tcp|5201/udp for an iperf3 server to all those subnets.
Let's also say I want to open 873/tcp|873/udp for an rsyncd server to just one subnet, say 172.16.10.0/24.
What's the best way to go about doing this?
Add 172.16.10.0/24 as a destination in the rsyncd.xml service profile?
Create a zone with 172.16.10.0/24 as a source and add the rsyncd service to that zone?
Run the iperf3 service in the public zone, having added the interface to that zone?
Hi, I'm trying to add a rule on NAT'ed traffic to reject certain local
IPs from being masqueraded, but I can't see how it can be done with
(1) --add-rule seems to always operate on iptables-restore, regardless
of what backend is being used.
(2) --add-rich-rule doesn't seem to provide a way to add rule on
(3) there is seem to be no option like --add-rule, but for nftables
Currently I had to switch to iptables backend to do:
firewall-cmd --permanent --new-ipset=nonetvm --type=hash:ip
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.52
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.53
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.54
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.55
# enp0s31f6 is the WAN interface in external zone
firewall-cmd --permanent --direct --add-rule \
ipv4 filter FORWARD 0 -m set --match-set nonetvm src \
-o enp0s31f6 -j REJECT
Please correct me if I'm wrong somewhere or is there simply no way to do
this with firewalld using (now default) nftables backend?
Below rule in iptables is causing the slptool to fail in detecting the services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I deleted it by using below command
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
and slp started to discover from other node with firewall enabled.
however when i reload the firewalld or reboot it again went back to original rule (REJECT)
how can i delete this rule permanently so that even after reoading firewalld daemon it does not go back to default.
or is there anyother way
I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful.
First of all I need some help, please.
I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses.
Could someone explain to me how to do this.
My configuration only has:
(1) one public IP Address (ens3)
Thanks in advance.
Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well.
Have a great day.