Rich-rule firewalld configuration

Support for security such as Firewalls and securing linux
Post Reply
mania
Posts: 49
Joined: 2020/12/19 05:55:37

Rich-rule firewalld configuration

Post by mania » 2021/09/06 06:57:24

Hi, I have put my q in the below link, while nobody reply my question. can anyboby help me?
https://forum.iredmail.org/post80709.html#p80709

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Firewalld rich rule

Post by mania » 2021/09/06 10:43:59

Hi, I want to control traffic. by firewalld and rich rules e.g. : just multiple IPS can have ssh or https access , or my server do not be allowed to have ssh access to the other servers in the same subnet. How can I write that rules?


I dont have telnet on port 22 from 192.168.15.34, what is wrong about my cmd?

rule family="ipv4" source address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="ssh Access" level="notice" accept
firewall-cmd --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 log prefix="Denied Access" level="notice" reject'

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Rich-rule firewalld configuration

Post by jlehtone » 2021/09/06 19:50:52

It is not clear from either your explanation/example nor the other thread what you actually want.

Please explain without iptables or firewall fragments.

If I read correctly:
* Your server is in subnet a.b.c.d/p.
* You don't want to be able to connect to tcp/22 of any member of a.b.c.d/p
* IPS is a list if IP addresses
* You want to allow new, incoming connections to tcp/22 and tcp/443 from addresses IPS
* You don't want incoming connections to tcp/22 and tcp/443 from anywhere else

If so, there are clearly two zones:
* More permissize zone that allows incoming to tcp/22 and tcp/443 (aka services ssh and https)
* More permissive zone has IPS as sources
* Restricted zone that rejects everything
* Restricted zone is on the interface

The outgoing restriction probably requires rich rule or worse.
* We know that destination is a.b.c.d/p port tcp/22 and we want to reject new connections

Post Reply