On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
Hello folks,
Hi iankko,
For the very least, in RHEL-6 there was
system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways
(when not counting direct iptables command usage):
* via system-config-firewall or
* via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is
firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service)
are iptables/ip6tables services (not the commands) in RHEL-6.
Have searched the firewalld manual pages deeper and noticed
firewalld package
provides firewall-offline-cmd for cases like this (when the firewalld service isn't
running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule
case.
Slow down a little ;-)
The firewall-offline-cmd man page says, that:
"If no options are given, configuration from
/etc/sysconfig/system-config-firewall will be migrated."
The s-c-firewall creates /etc/sysconfig/iptables (configuration for
iptables service) and also stores the configuration in
/etc/sysconfig/system-config-firewall.
So if your firewall configuration was created solely with
system-config-firewall you can simply run firewall-offline-cmd without
arguments and it should migrate the firewall configuration to a
/etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken
from /etc/firewalld/firewalld.conf)
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has
the form of
(for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from
reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry
was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is
it
a way how to specify "order / place" into which the rule would be added into
the
XML file? IOW using 0 again second time would mean the second rule would be inserted
before the already existing rule (e.g. the behaviour of -I iptables option) or when
using priority 1 it would be appended instead at the end of the filter table & INPUT
chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how
they'll appear in iptables. Try to add some rules and check
iptables-save output and you'll see.
firewalld.direct(5) says:
"The priority is used to order rules. Priority 0 means add rule on top
of the chain, with a higher priority the rule will be added further
down. Rules with the same priority are on the same level
and the order of these rules is not fixed and may change. If you want to
make sure that a rule will be added after another one, use a low
priority for the first and a higher for the following."
Another question being -- also noticed firewalld provides concept of
"richlanguage"
which allows (at least from what I got) the administrator to define the rules in
the iptables-like syntax. Since it's not mentioned in the manual page, does
richlanguage
support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
as known / supported by iptables? If yes, what would be the syntax to
formulate these
in the richlanguage syntax? To mention some examples, suppose the following two
rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst
10 -j ACCEPT
iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10
-j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would
the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
Is it possible to commonly express what kind of former iptables rules
are possible
to express via richlanguage & what kind of rules require use of firewall-offline-cmd
tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples
might give you some overview.
--
Jiri