Rich rule is added with "success" but does not shown eventually in the configuration
Posted: 2020/05/11 13:48:56
Hi,
I use latest CentOS 7 and latest Firewalld.
I have a strange situation where when I add a rich rule, the OS shows "success", I reload firewalld, but then rule is missing when I run "firewall-cmd --info-zone=public"... it is also not found at the relevant zone file (public.xml).
The rule is as follows (only IP values were changed for security):
It is a rule to allow specific list of 4 public internet subnet objects as the source (e.g. 4.4.4.4/26 and 5.5.5.5/26), represented as an ipset object, to access to my server (it is the destination, also a public IP), only to port 465 TCP - all of this - in the public zone (my default zone and only one with rules):
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source ipset="ipset.name" destination address="1.2.3.4" port port="465" protocol="tcp" log level="info" accept'
The same happens even if I use one specific subnet as the source, not using an ipset:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="4.4.4.4/26" destination address="1.2.3.4" port port="465" protocol="tcp" log level="info" accept'
Adding totally different rule, similar to one that I already have at the same zone - works fine - after reload it shows as part of the zone's configuration:
Allowing outbound traffic from my server to one specific internet address, without limit to any specific port:
firewall-cmd --zone=public --permanent --add-rich-rule='rule family=ipv4 source address=1.2.3.4/32 destination address=6.6.6.6 protocol value="tcp" log level="info" accept'
Does anyone have an idea how can I solve this?
Thanks.
I use latest CentOS 7 and latest Firewalld.
I have a strange situation where when I add a rich rule, the OS shows "success", I reload firewalld, but then rule is missing when I run "firewall-cmd --info-zone=public"... it is also not found at the relevant zone file (public.xml).
The rule is as follows (only IP values were changed for security):
It is a rule to allow specific list of 4 public internet subnet objects as the source (e.g. 4.4.4.4/26 and 5.5.5.5/26), represented as an ipset object, to access to my server (it is the destination, also a public IP), only to port 465 TCP - all of this - in the public zone (my default zone and only one with rules):
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source ipset="ipset.name" destination address="1.2.3.4" port port="465" protocol="tcp" log level="info" accept'
The same happens even if I use one specific subnet as the source, not using an ipset:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="4.4.4.4/26" destination address="1.2.3.4" port port="465" protocol="tcp" log level="info" accept'
Adding totally different rule, similar to one that I already have at the same zone - works fine - after reload it shows as part of the zone's configuration:
Allowing outbound traffic from my server to one specific internet address, without limit to any specific port:
firewall-cmd --zone=public --permanent --add-rich-rule='rule family=ipv4 source address=1.2.3.4/32 destination address=6.6.6.6 protocol value="tcp" log level="info" accept'
Does anyone have an idea how can I solve this?
Thanks.