On 09/11/2014 04:55 PM, Jan Lieskovsky wrote:
So maybe the question then is how to create that original
configuration
for system-config-firewall utility first. Suppose a request for presence
of a rule (in /etc/sysconfig/iptables) of the form of:
*filter
:INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved
in system-config-firewall (and subsequently in firewall-config) UI?
I don't think this is possible in s-c-firewall, but I might be wrong.
With firewalld it's as easy as setting Target to DROP, which is what
drop zone does (in firewalld-config switch to Permanent, click 'Edit
Zone' and see Target).
I have noticed, that since 'public' zone is the default one
(from
/etc/firewalld/firewalld.conf) and when there aren't any <service>
elements in the /etc/firewalld/zones/public.xml under the <short>
and <description> elements all incoming connections are prohibited.
That's correct, yes, but it allows incoming ICMP messages. If you want
to prohibit everything, change target to DROP/%%REJECT%% (see target
description in firewalld.zone man page) or use drop/block zone.
>> as known / supported by iptables? If yes, what would be the
syntax to
>> formulate these
>> in the richlanguage syntax? To mention some examples, suppose the following
>> two
>> rules:
>>
>> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s
>> --limit-burst 10 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range
>> 192.168.0.1-192.168.0.10 -j ACCEPT
>>
>> Is there a way how to express them via firewalld's richlanguage constructs
>> or would
>> the usage of firewall-offline-cmd --direct --add-rule be necessary?
>
> The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for
the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking
on "Rich Rules" tab, clicking "Add" button, an "Rich Rule"
dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify
"[0:0]"
the format it's not allowed to be added into source address, and there also
isn't
Filter element in the 'Element' drop down widget / select box. The only thing
that's possible to select seem to be to use 'tcp' protocol & forget about
chain.
Can you suggest which source address should be used in this case? Or if no source
address is provided, does it imply all incoming packets (packets coming from whatever
source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter
:INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration
seems to be check either for:
* get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that
zone of it doesn't contain some listed <service> elements, or
* check for presence of richrule rule of the form of:
<rule family="ipv4">
<protocol value="tcp"/>
</drop>
</rule>
in the zone XML file for the default zone.
Can you confirm this?
Jan, I'm afraid I don't understand what you're trying to achieve.
I think it'd be much easier if we can talk about this off-list, just
ping me when you're ready.
--
Jiri