firewalld specify source port or fromaddr

General support questions
Post Reply
neuronetv
Posts: 89
Joined: 2012/01/08 21:53:07

firewalld specify source port or fromaddr

Post by neuronetv » 2021/09/15 16:54:45

I've been trying for ages to write a firewall rule but no joy as I don't know what the correct syntax should be despite much searching on google.
I did a successful forward port command with this:
# firewall-cmd --permanent --zone=public --add-forward-port=port=5060:proto=udp:toport=5060:toaddr=192.168.1.61
but in this command I need to specify a single source IP so that udp 5060 traffic will only come in from that one IP.
I've tried source-address=, fromaddr= but nothing works. I alwys get:
Error: INVALID_FORWARD: invalid forward port arg 'source'
Error: INVALID_FORWARD: invalid forward port arg 'fromaddr'
what should the correct command be?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld specify source port or fromaddr

Post by jlehtone » 2021/09/15 18:52:11

First, firewalld is not suitable for routers or other complex setups.

Lets clarify: you have three machines: A, B, and C.
- A connects to udp/5060 of B
- You want to forward that connection from B to udp/5060 of C

The "firewalld way" is that world has at least two "zones".
- The A is in zone "X". When packets come from A, rules of zone X handle them
- Everyone else is in zone "Y".
- Zone X has rule to forward 5060 to C

In other words, X is probably a copy of Y, but with added rule and A in its "sources".

neuronetv
Posts: 89
Joined: 2012/01/08 21:53:07

Re: firewalld specify source port or fromaddr

Post by neuronetv » 2021/09/15 22:14:15

hmmm
surely there must be a simple way to include a 'from address' into the command I used

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld specify source port or fromaddr

Post by jlehtone » 2021/09/16 19:31:15

Upstream man firewall-cmd writes:
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]

Add the IPv4 forward port. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards. timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h.

The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address.

The --timeout option is not combinable with the --permanent option.

For IPv6 forward ports, please use the rich language.

Note: IP forwarding will be implicitly enabled if toaddr is specified.
Even the future firewall-cmd will have no "from address" in --add-forward-port.
The "simple way" is to add the rule to the zone that will handle the packets "from address". That is how FirewallD wants it.

The other "simple way" is to not use firewalld.service at all. Stay in iptables.service

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: firewalld specify source port or fromaddr

Post by Whoever » 2021/09/17 01:03:24

jlehtone wrote:
2021/09/16 19:31:15

The other "simple way" is to not use firewalld.service at all. Stay in iptables.service
That's what I have done. I keep a "human readable" script with comments and variables (instead of raw IP addresses and device names), which I use to set the iptables, then, after running the script, I use iptables-save.

Post Reply