On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
Hello folks,
Hi iankko,
For the very least, in RHEL-6 there was system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways (when not counting direct iptables command usage):
- via system-config-firewall or
- via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service) are iptables/ip6tables services (not the commands) in RHEL-6.
Have searched the firewalld manual pages deeper and noticed firewalld package provides firewall-offline-cmd for cases like this (when the firewalld service isn't running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule case.
Slow down a little ;-) The firewall-offline-cmd man page says, that: "If no options are given, configuration from /etc/sysconfig/system-config-firewall will be migrated."
The s-c-firewall creates /etc/sysconfig/iptables (configuration for iptables service) and also stores the configuration in /etc/sysconfig/system-config-firewall. So if your firewall configuration was created solely with system-config-firewall you can simply run firewall-offline-cmd without arguments and it should migrate the firewall configuration to a /etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken from /etc/firewalld/firewalld.conf)
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of (for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it a way how to specify "order / place" into which the rule would be added into the XML file? IOW using 0 again second time would mean the second rule would be inserted before the already existing rule (e.g. the behaviour of -I iptables option) or when using priority 1 it would be appended instead at the end of the filter table & INPUT chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how they'll appear in iptables. Try to add some rules and check iptables-save output and you'll see.
firewalld.direct(5) says: "The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following."
Another question being -- also noticed firewalld provides concept of "richlanguage" which allows (at least from what I got) the administrator to define the rules in the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
Is it possible to commonly express what kind of former iptables rules are possible to express via richlanguage & what kind of rules require use of firewall-offline-cmd tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples might give you some overview.
-- Jiri