Rich rule is added with "success" but does not shown eventually in the configuration

Support for security such as Firewalls and securing linux
Post Reply
eitancaspi
Posts: 13
Joined: 2020/02/25 20:11:45

Rich rule is added with "success" but does not shown eventually in the configuration

Post by eitancaspi » 2020/05/11 13:48:56

Hi,

I use latest CentOS 7 and latest Firewalld.

I have a strange situation where when I add a rich rule, the OS shows "success", I reload firewalld, but then rule is missing when I run "firewall-cmd --info-zone=public"... it is also not found at the relevant zone file (public.xml).

The rule is as follows (only IP values were changed for security):

It is a rule to allow specific list of 4 public internet subnet objects as the source (e.g. 4.4.4.4/26 and 5.5.5.5/26), represented as an ipset object, to access to my server (it is the destination, also a public IP), only to port 465 TCP - all of this - in the public zone (my default zone and only one with rules):

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source ipset="ipset.name" destination address="1.2.3.4" port port="465" protocol="tcp" log level="info" accept'

The same happens even if I use one specific subnet as the source, not using an ipset:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="4.4.4.4/26" destination address="1.2.3.4" port port="465" protocol="tcp" log level="info" accept'

Adding totally different rule, similar to one that I already have at the same zone - works fine - after reload it shows as part of the zone's configuration:

Allowing outbound traffic from my server to one specific internet address, without limit to any specific port:

firewall-cmd --zone=public --permanent --add-rich-rule='rule family=ipv4 source address=1.2.3.4/32 destination address=6.6.6.6 protocol value="tcp" log level="info" accept'

Does anyone have an idea how can I solve this?

Thanks.

Thraex
Posts: 38
Joined: 2019/05/14 19:50:28

Re: Rich rule is added with "success" but does not shown eventually in the configuration

Post by Thraex » 2020/05/11 14:08:59

Only the last of your firewall-cmd commands has the --permanent option. If you don't specify this, then the rule will go away when you run firewall-cmd --reload or systemctl restart firewalld. Is that what you're running into?

eitancaspi
Posts: 13
Joined: 2020/02/25 20:11:45

Re: Rich rule is added with "success" but does not shown eventually in the configuration

Post by eitancaspi » 2020/05/11 14:14:04

Thanks Thraex!

I feel so stupid!... :(

I had some much trouble finding the correct syntax to mention a destination port that when finally I found the correct way - I forgot to add the permanent directive... I need a vacation...

Yes, of course, now it works...

Thanks!

Post Reply

Return to “CentOS 7 - Security Support”