On Fri, Sep 25, 2020 at 01:13:51AM -0400, D. Hugh Redelmeier wrote:
Thanks, Ed and Eric, for your help.
| From: Eric Garver <egarver(a)redhat.com>
| On Thu, Sep 24, 2020 at 05:47:26PM -0400, D. Hugh Redelmeier wrote:
| > Is there a reasonable way to get firewalld-0.9 for Fedora 32?
I've decided that it isn't reasonable. Updating my system from F32 to
F33 might get messy. F33 appears not to include firewalld-0.9. That
seems to be scheduled for F34.
| > I don't wish to compile my own and fight with Fedora's package
management.
It's not that I fear building packages. I fear contradicting Fedora's
choice of package version.
| > Alternatively, is it reasonable to run the nftable service as well as
| > firewalld?
|
| The services explicitly Conflict. This is mostly because the nftables
| service will flush _all_ the rules.
Very useful to know.
| > Alternatively, is --direct able to add nftable rules?
|
| No. This is by design. If something you need is not supported by
| firewalld's rich rules please file an RFE.
Ahh. I asked the wrong question. I could use --direct to add an
iptables rule, and that should be good enough.
I just thought iptables was a step backward from nftables (itself a
step backwards from firewalld).
I think that the rule will look something like this.
The table is "filter", the chain is FORWARD and the priority is 0.
Am I correct in assuming that since the table and chain ought to
already exist, all I have to do is add the rule?
Yes. It should already exist.
The purpose is to drop all packets from the internet that have an
explicit destination within MYSUBNET.
You could just add MYSUBNET to the block zone. This will also block the
forwarded traffic.
# firewall-cmd --zone block --add-source 10.254.254.0/24
and the nftables rules generated:
chain filter_FORWARD_IN_ZONES_SOURCE {
ip saddr 10.254.254.0/24 goto filter_FWDI_block
}
chain filter_FWDI_block {
[..]
log prefix ""filter_FWDI_block_REJECT: ""
reject with icmpx type admin-prohibited
}
Note the catch-all reject at the end of filter_FWDI_block.
sudo firewall-cmd \
--direct --add-rule ipv4 filter FORWARD 0 \
--in-interface=EXTERNAL_INTERFACE \
--source MYSUBNET \
DROP
Questions:
- should I be using chain FORWARD_direct instead of FORWARD?
firewall-cmd(1) gives the example of INPUT_direct but does
not specify which other chains are automatically created.
(That seems like a documentation bug.)
If using the nftables backend "FORWARD" will add the direct rules to the
iptables chain "FORWARD".
If using the nftables backend "FORWARD" will add the direct rules to the
iptables chain "FORWARD_direct".
- can I use the long form of the iptables flags or do I have to use
the single-letter version? firewall-cmd(1) only uses the
single-letter versions.
Answer: yes, long forms are accepted.
Yes. The arguments are passed directly to iptables. Firewalld does not
understand them.
| Alternatively, you can create your own nftables rules. firewalld
only
| uses/touches/flushes rules/chains in the "firewalld" tables. It will not
| touch nftables rules created out-of-band of firewalld.
This seems too fragile and complex for the tiny hack I need.
Agreed. Try the `--add-source` setting I mention above.