Page 1 of 1

Confused as to what firewall-cmd --add-source<ip> does

Posted: 2019/11/19 09:59:47
by dalilama
I had thought that "firewall-cmd --add-source<ip>" opens up all server ports to the ip address given, effectively whitelisting the ip address. It does not do that. What exactly does it do ? This should be simple to understand but I don't.
I read the following on Red Hat support site

>The following procedure allows all incoming traffic from 192.168.2.15 in the trusted zone:
> firewall-cmd --zone=trusted --add-source=192.168.2.15

I read this as if the interface in in the trusted zone then it is open to all traffic from 192.168.2.15

I have tried this syntax with the public zone but it does not work.
Traffic from the specified ip address is still blocked

Thanks
George

Re: Confused as to what firewall-cmd --add-source<ip> does

Posted: 2019/11/19 10:29:25
by TrevorH
Looking at the iptables rules behind the scenes it looks like it does the right thing from a quick look to me:

iptables-save > /tmp/a
firewall-cmd --add-source=192.168.2.15
iptables-save > /tmp/b
diff -u /tmp/a /tmp/b

Given firewalld's ridiculous ruleset, the changes that makes are too big for a forum post!

Re: Confused as to what firewall-cmd --add-source<ip> does

Posted: 2019/11/19 11:06:38
by dalilama
Yes, I understood iptables, not perfectly but with a degree of confidence.
Suffice to say that in all the tests I have carried out the syntax of "firewall-cmd --add-source <ip>" does not whitelist the ip. I've even logged a ticket to Red Hat for an explanation but I haven't really got anywhere.

I would have liked to see the ip address added to the "INPUT" chain, but no, I see the following from a grep of iptables-save:
iptables-save | grep 172.16.100
-A POSTROUTING_ZONES_SOURCE -d 172.16.100.0/23 -g POST_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A FORWARD_IN_ZONES_SOURCE -s 172.16.100.0/23 -g FWDI_public
-A FORWARD_OUT_ZONES_SOURCE -d 172.16.100.0/23 -g FWDO_public
-A INPUT_ZONES_SOURCE -s 172.16.100.0/23 -g IN_public
And I really don't understand what the above is telling me.

Thanks
George

Re: Confused as to what firewall-cmd --add-source<ip> does

Posted: 2019/11/19 15:42:32
by KernelOops
First of all, --add-source does NOT open any ports. Lets get that out of the way so we can move on.

--add-source binds an IP address (or mask, or MAC, or ipset) to a specific zone. Thats all it does.

So... if you run the command you mention above:

> firewall-cmd --zone=trusted --add-source=192.168.2.15

basically all you've done, is to bind the IP 192.168.2.15 to a zone named "trusted". On its own, it means absolutely nothing, unless you have modified the "trusted" zone to do something.


In other words, what you should be doing, is create a zone named "trusted", open various ports in that zone and add a source to that zone. The result, is an XML file under /etc/firewalld/zones, here is an example of such a zone that allows ports 80 and 443 for source IP 192.168.2.15.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>trusted</short>
  <description>trusted</description>
  <source address="192.168.2.15"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
</zone>

Re: Confused as to what firewall-cmd --add-source<ip> does

Posted: 2019/11/19 17:06:42
by jlehtone
Put other way:

A zone is what should be done for a packet. A zone does not care about the origin of the packet.

The "source" (or interface) decides, based on the origin, to which zone a packet is given.

Let's say interface's zone is 'public' (which is the default). Ssh is allowed from anywhere.
Then you add source 8.8.8.8 to 'trusted'. Packets from 8.8.8.8 are now handled by trusted, which does allow everything.
All other incoming traffic is still handled by the public.