5:18 a.m.
Hi,
sometimes is useful to allow connections from a specific combination of
of source_address:source_port. For example if you want to allow the
icecream[1] autodiscovery service in your local network you would likely
want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have
services running in well-known ports that use random ports in your local
machine to setup connections.
Is there any way to do that in firewalled?
BR
[1] https://github.com/icecc/icecream
6:37 a.m.
On 11.09.2013 12:18, Sergio Villar Senin wrote:
Hi,
sometimes is useful to allow connections from a specific combination of
of source_address:source_port. For example if you want to allow the
icecream[1] autodiscovery service in your local network you would likely
want to allow connections coming from:
192.168.1.0/24:8765 udp
I think this is a very common use case in local networks where you have
services running in well-known ports that use random ports in your local
machine to setup connections.
Is there any way to do that in firewalled?
It would be awkward if it can't. :)
man 5 firewalld.richlanguage
poma
10:55 a.m.
On 11/09/13 13:37, poma wrote:
On 11.09.2013 12:18, Sergio Villar Senin wrote:
> Hi,
>
> sometimes is useful to allow connections from a specific combination of
> of source_address:source_port. For example if you want to allow the
> icecream[1] autodiscovery service in your local network you would likely
> want to allow connections coming from:
>
> 192.168.1.0/24:8765 udp
>
> I think this is a very common use case in local networks where you have
> services running in well-known ports that use random ports in your local
> machine to setup connections.
>
> Is there any way to do that in firewalled?
>
It would be awkward if it can't. :)
man 5 firewalld.richlanguage
I've read the richlanguage syntax and still I cannot find the way to
specify the source port, because the <port> element is translated to the
destination port in the iptables rule and the <source> element only
allows to specify the address, not the port.
BR
11:52 a.m.
On 11.09.2013 17:55, Sergio Villar Senin wrote:
On 11/09/13 13:37, poma wrote:
> On 11.09.2013 12:18, Sergio Villar Senin wrote:
>> Hi,
>>
>> sometimes is useful to allow connections from a specific combination of
>> of source_address:source_port. For example if you want to allow the
>> icecream[1] autodiscovery service in your local network you would likely
>> want to allow connections coming from:
>>
>> 192.168.1.0/24:8765 udp
>>
>> I think this is a very common use case in local networks where you have
>> services running in well-known ports that use random ports in your local
>> machine to setup connections.
>>
>> Is there any way to do that in firewalled?
>>
>
> It would be awkward if it can't. :)
> man 5 firewalld.richlanguage
I've read the richlanguage syntax and still I cannot find the way to
specify the source port, because the <port> element is translated to the
destination port in the iptables rule and the <source> element only
allows to specify the address, not the port.
firewall-cmd --permanent --add-rich-rule='rule port port="8765"
protocol="udp" family="ipv4" source address="192.168.1.0/24"
accept'
firewall-cmd --reload
firewall-cmd --list-rich-rules
Play with "firewall-config" - firewalld GUI configuration tool,
and list result via "firewall-cmd --list-rich-rules",
so you'll get an idea how to do it via "firewall-cmd" - firewalld
command line client.
man 1 firewall-cmd
poma
12:13 p.m.
On 11/09/13 18:52, poma wrote:
On 11.09.2013 17:55, Sergio Villar Senin wrote:
> On 11/09/13 13:37, poma wrote:
>> On 11.09.2013 12:18, Sergio Villar Senin wrote:
>>> Hi,
>>>
>>> sometimes is useful to allow connections from a specific combination of
>>> of source_address:source_port. For example if you want to allow the
>>> icecream[1] autodiscovery service in your local network you would likely
>>> want to allow connections coming from:
>>>
>>> 192.168.1.0/24:8765 udp
>>>
>>> I think this is a very common use case in local networks where you have
>>> services running in well-known ports that use random ports in your local
>>> machine to setup connections.
>>>
>>> Is there any way to do that in firewalled?
>>>
>>
>> It would be awkward if it can't. :)
>> man 5 firewalld.richlanguage
>
> I've read the richlanguage syntax and still I cannot find the way to
> specify the source port, because the <port> element is translated to the
> destination port in the iptables rule and the <source> element only
> allows to specify the address, not the port.
>
firewall-cmd --permanent --add-rich-rule='rule port port="8765"
protocol="udp" family="ipv4" source
address="192.168.1.0/24" accept'
firewall-cmd --reload
firewall-cmd --list-rich-rules
As I said in my previous email, and if I understand the language
correctly, what you are saying in that rule is that you want to allow
udp traffic from _any_ port from 192.168.1.0/24 to my local port 8765.
That's confirmed by iptables:
$ iptables -L IN_work_allow
Chain IN_work_allow (1 references)
target prot opt source destination
ACCEPT udp -- 192.168.1.0/24 anywhere udp
dpt:8765 ctstate NEW
As you can see the port that is set is the destination port (dpt:8765),
but I want to allow communications _only_ from that port, i.e, I want to
specify the source port, I don't care about the destination port.
Using again iptables terminology, I want to set the "--sport" not the
"--dport"
BR
2:22 a.m.
On 11.09.2013 20:10, poma wrote:
On 11.09.2013 19:13, Sergio Villar Senin wrote:
> Using again iptables terminology, I want to set the "--sport" not the
> "--dport"
>
OK now I understand what you meant.
RFE - firewalld-devel(a)lists.fedorahosted.org ;)
After a good tazza di caffe,
I think I really misread the entire article including the title, haha.
Sorry for that, dude.
Try to talk to devs at firewalld-devel(a)lists.fedorahosted.org,
and eventuality file a request for enhancement.
poma
3878
days inactive
3879
days old
firewalld-users@lists.fedorahosted.org
7 comments
2 participants
participants (2)
-
poma -
Sergio Villar Senin