Firewalld Rich Rule

13 Jun

To add a so called rich rule to firewalld I did the following.

Check existing rules after a recent upgrade to Fedora 22. 55555/tcp was a custom app not Fedora default.

<pre class="brush: bash; title: ; notranslate" title="">
# firewall-cmd --get-default-zone
FedoraServer

# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: cockpit dhcpv6-client http smtp ssh
  ports: 55555/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Lets remove some rules.

<pre class="brush: bash; title: ; notranslate" title="">
# firewall-cmd --permanent --zone=FedoraServer --remove-port=55555/tcp
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=dhcpv6-client
success

Add custom rule non-permanent.
** Note x.x.x.x is a placeholder for a real public IP. Most likely you won't need a public IP but a non-routable Class C or B on your internal network.

<pre class="brush: bash; title: ; notranslate" title="">
# firewall-cmd --zone=FedoraServer --add-rich-rule="rule family="ipv4" source address="x.x.x.x/32" port protocol="tcp" port="55555" accept"
success

Or if you need it permanently added remember to use --permanent.

Restart the firewall.

<pre class="brush: bash; title: ; notranslate" title="">
# systemctl restart firewalld.service

<pre class="brush: bash; title: ; notranslate" title="">
# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: http smtp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/32" port port="55555" protocol="tcp" accept

Next Post Previous Post

Firewalld Rich Rule

Search