Page 1 of 1

Rich-rule firewalld configuration

Posted: 2021/09/06 06:57:24
by mania
Hi, I have put my q in the below link, while nobody reply my question. can anyboby help me?
https://forum.iredmail.org/post80709.html#p80709

Firewalld rich rule

Posted: 2021/09/06 10:43:59
by mania
Hi, I want to control traffic. by firewalld and rich rules e.g. : just multiple IPS can have ssh or https access , or my server do not be allowed to have ssh access to the other servers in the same subnet. How can I write that rules?


I dont have telnet on port 22 from 192.168.15.34, what is wrong about my cmd?

rule family="ipv4" source address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="ssh Access" level="notice" accept
firewall-cmd --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 log prefix="Denied Access" level="notice" reject'

Re: Rich-rule firewalld configuration

Posted: 2021/09/06 19:50:52
by jlehtone
It is not clear from either your explanation/example nor the other thread what you actually want.

Please explain without iptables or firewall fragments.

If I read correctly:
* Your server is in subnet a.b.c.d/p.
* You don't want to be able to connect to tcp/22 of any member of a.b.c.d/p
* IPS is a list if IP addresses
* You want to allow new, incoming connections to tcp/22 and tcp/443 from addresses IPS
* You don't want incoming connections to tcp/22 and tcp/443 from anywhere else

If so, there are clearly two zones:
* More permissize zone that allows incoming to tcp/22 and tcp/443 (aka services ssh and https)
* More permissive zone has IPS as sources
* Restricted zone that rejects everything
* Restricted zone is on the interface

The outgoing restriction probably requires rich rule or worse.
* We know that destination is a.b.c.d/p port tcp/22 and we want to reject new connections