On 09/11/2014 04:55 PM, Jan Lieskovsky wrote:
So maybe the question then is how to create that original configuration for system-config-firewall utility first. Suppose a request for presence of a rule (in /etc/sysconfig/iptables) of the form of:
*filter :INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved in system-config-firewall (and subsequently in firewall-config) UI?
I don't think this is possible in s-c-firewall, but I might be wrong. With firewalld it's as easy as setting Target to DROP, which is what drop zone does (in firewalld-config switch to Permanent, click 'Edit Zone' and see Target).
I have noticed, that since 'public' zone is the default one (from /etc/firewalld/firewalld.conf) and when there aren't any <service> elements in the /etc/firewalld/zones/public.xml under the <short> and <description> elements all incoming connections are prohibited.
That's correct, yes, but it allows incoming ICMP messages. If you want to prohibit everything, change target to DROP/%%REJECT%% (see target description in firewalld.zone man page) or use drop/block zone.
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking on "Rich Rules" tab, clicking "Add" button, an "Rich Rule" dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify "[0:0]" the format it's not allowed to be added into source address, and there also isn't Filter element in the 'Element' drop down widget / select box. The only thing that's possible to select seem to be to use 'tcp' protocol & forget about chain.
Can you suggest which source address should be used in this case? Or if no source address is provided, does it imply all incoming packets (packets coming from whatever source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter :INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration seems to be check either for:
get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that zone of it doesn't contain some listed <service> elements, or
check for presence of richrule rule of the form of:
<rule family="ipv4"> <protocol value="tcp"/> </drop> </rule>
in the zone XML file for the default zone.
Can you confirm this?
Jan, I'm afraid I don't understand what you're trying to achieve. I think it'd be much easier if we can talk about this off-list, just ping me when you're ready.
-- Jiri