Hello Jiri,
thank you for your reply.
----- Original Message -----
From: "Jiri Popelka" jpopelka@redhat.com To: "Firewalld users discussion list" firewalld-users@lists.fedorahosted.org, "Jan Lieskovsky" jlieskov@redhat.com Sent: Friday, August 29, 2014 6:43:29 PM Subject: Re: Appreciated hints about expected exact firewall-offline-cmd --direct --add-rule / --query-rule syntax (mainly about the priority field) or corresponding richlanguage syntax
On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
Hello folks,
Hi iankko,
For the very least, in RHEL-6 there was system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways (when not counting direct iptables command usage):
- via system-config-firewall or
- via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service) are iptables/ip6tables services (not the commands) in RHEL-6.
Have searched the firewalld manual pages deeper and noticed firewalld package provides firewall-offline-cmd for cases like this (when the firewalld service isn't running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule case.
Slow down a little ;-) The firewall-offline-cmd man page says, that: "If no options are given, configuration from /etc/sysconfig/system-config-firewall will be migrated."
Ok, so not /etc/sysconfig/iptables directly, but /etc/sysconfig/s-c-f instead.
The s-c-firewall creates /etc/sysconfig/iptables (configuration for iptables service) and also stores the configuration in /etc/sysconfig/system-config-firewall. So if your firewall configuration was created solely with system-config-firewall you can simply run firewall-offline-cmd without arguments and it should migrate the firewall configuration to a /etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken from /etc/firewalld/firewalld.conf)
So maybe the question then is how to create that original configuration for system-config-firewall utility first. Suppose a request for presence of a rule (in /etc/sysconfig/iptables) of the form of:
*filter :INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved in system-config-firewall (and subsequently in firewall-config) UI?
I have noticed, that since 'public' zone is the default one (from /etc/firewalld/firewalld.conf) and when there aren't any <service> elements in the /etc/firewalld/zones/public.xml under the <short> and <description> elements all incoming connections are prohibited.
As suggested by the first reply in: https://ask.fedoraproject.org/en/question/49976/does-firewalld-block-outgoin...
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of (for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it a way how to specify "order / place" into which the rule would be added into the XML file? IOW using 0 again second time would mean the second rule would be inserted before the already existing rule (e.g. the behaviour of -I iptables option) or when using priority 1 it would be appended instead at the end of the filter table & INPUT chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how they'll appear in iptables. Try to add some rules and check iptables-save output and you'll see.
firewalld.direct(5) says: "The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following."
Another question being -- also noticed firewalld provides concept of "richlanguage" which allows (at least from what I got) the administrator to define the rules in the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking on "Rich Rules" tab, clicking "Add" button, an "Rich Rule" dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify "[0:0]" the format it's not allowed to be added into source address, and there also isn't Filter element in the 'Element' drop down widget / select box. The only thing that's possible to select seem to be to use 'tcp' protocol & forget about chain.
Can you suggest which source address should be used in this case? Or if no source address is provided, does it imply all incoming packets (packets coming from whatever source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter :INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration seems to be check either for:
* get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that zone of it doesn't contain some listed <service> elements, or
* check for presence of richrule rule of the form of:
<rule family="ipv4"> <protocol value="tcp"/> </drop> </rule>
in the zone XML file for the default zone.
Can you confirm this?
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Is it possible to commonly express what kind of former iptables rules are possible to express via richlanguage & what kind of rules require use of firewall-offline-cmd tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples might give you some overview.
-- Jiri