Thanks for the reply, Eric. Presently I'm using the 0.6.3-8 version packaged with
CentOS 7 and while the new features look exciting, I'm staring down a deadline right
now and don't have the cycles to build from source and test.
At present, it seems firewalld is primarily focused on being a host firewall to protect
services on the host it's running on and while configuration as a pass-through
firewall is possible, configuration seems to mostly be relegated to interaction with
iptables to access these features.
I can see why that's so based upon the use cases being mostly driven by being
installed on a Linux server and the preponderence of standalone (and often GUI configured)
network firewalls in the market, but I'm excited to see further developments of the
network / passthrough firewall feature set for virtualized environments.
Thanks,
Scott
________________________________
From: Eric Garver <egarver(a)redhat.com>
Sent: August 31, 2020 8:49 AM
To: Scott A. Wozny <sawozny(a)hotmail.com>
Cc: firewalld-users(a)lists.fedorahosted.org <firewalld-users(a)lists.fedorahosted.org>
Subject: Re: Adding rich rules for forwarded traffic
On Sun, Aug 30, 2020 at 12:08:12AM -0000, Scott A. Wozny wrote:
Can --add-rich-rule be used to add rules to the FORWARD chain?
Not in current releases. I just merged support [1] for this the other
day. As such, it will be in the v0.9.0 release which I will probably
drop within a week. I want to write a blog about it first.
If you have the time I'd really appreciate some testing on this new
feature.
[1]:
https://github.com/firewalld/firewalld/pull/639
I’ve
got a multi-interface firewall with an “internet” zone and a
“webservers” zone. I used nmcli to add the connections to those zones
and the results of a --list-all-zones shows me the zones have the
correct interfaces. The OS also knows how to get to the web servers
from the interface in the internet zone as I can make a port 80
connection from a system in the internet segment when firewalld is
off. So, I turned firewalld on and added a rich rule with this
command:
sudo firewall-cmd --zone=internet --add-rich-rule='rule family=ipv4
service name=http destination address=10.1.4.2 accept'
The rule takes, but I cannot make a connection from a machine on the
“internet” segment to the 10.1.4.2 server, even though I could when
firewalld was off. So I took a look at an iptables -S and I see my
rich rule was added, but to the IN_internet_ALLOW chain:
-A IN_internet_allow -d 10.1.4.2/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate
NEW,UNTRACKED -j ACCEPT
So, it seemed obvious to me that since the destination was on a
network off a different interface within the firewall system it should
have been put in the FWDI_internet_allow chain, but it wasn’t. Did I
do something wrong or does firewalld not add rich rules to FORWARD
chains, when appropriate? I can do this with a direct rule if I need
to, but they’re ugly and I’d rather use the “prettiest” command
available, when I can.
Also, when writing the rule I tried to use destination ipset=”myipset”
(which I've previously declared and put 2 addresses in) but got back a
syntax error. Looking through the man pages it appears that ipset can
only be used for sources in rich rules.
You are correct. source only.
Am I reading that right and, if so, does anyone have any insight
into
why the restriction?
I don't think there is any real restriction. Probably only because no
one has added support. But with policy objects (linked above) I'm not
sure it's useful since the policy can define the "destination".
I can use multiple rules with IPs and / or arrange my addressing so
I
can use CIDR notation, but ipsets would make the FW ruleset read SO
much clearer I thought I’d ask here to see if there was a trick I was
missing.
rich rules support CIDR notation.