On 01/24/2014 03:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't think about zones. You may explicitly request for a rule to be inserted in one of the zones' subchains but I guess that's not the idea. For example, If I use the direct interface and specify that I want my rule to be placed in the INPUT chain...firewalld will place it under INPUT_direct (as expected). Then, no matter what zones are active (bound by interface or source) it will always traverse the INPUT_direct subchain and process my rule. That's why I think of them, the direct rules, to be outside of the scope of the regular zones.
I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that source ip (or network) to the drop zone. This is independently of the default zone for your interface. You can then confirmn the "active zones" with:
firewall-cmd --get-active-zones
For me, binding a source to a zone (apart from binding an interface to it) is one the of the BEST things of firewalld's rule-mgmt. I discovered this about a week ago while reading the man page for firewall-cmd (as there's no mention of this source-binding in the Wiki or RHEL7 Guides). Prior to this, I was using rich rules. I couldn't believe there was no way to specify a "source address" via the basic commands and found it overkill to use rich-rules just for that. I was hard-wired to think purely on the binding of interfaces to zones (like many people). I guess this source binding needs more promotion :)
My kudos to the development team for coming up with this great idea!
Regards, Jorge