Confused as to what firewall-cmd --add-source<ip> does

Support for security such as Firewalls and securing linux
Post Reply
Posts: 2
Joined: 2019/11/19 09:48:22

Confused as to what firewall-cmd --add-source<ip> does

Post by dalilama » 2019/11/19 09:59:47

I had thought that "firewall-cmd --add-source<ip>" opens up all server ports to the ip address given, effectively whitelisting the ip address. It does not do that. What exactly does it do ? This should be simple to understand but I don't.
I read the following on Red Hat support site

>The following procedure allows all incoming traffic from in the trusted zone:
> firewall-cmd --zone=trusted --add-source=

I read this as if the interface in in the trusted zone then it is open to all traffic from

I have tried this syntax with the public zone but it does not work.
Traffic from the specified ip address is still blocked


User avatar
Forum Moderator
Posts: 29060
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Confused as to what firewall-cmd --add-source<ip> does

Post by TrevorH » 2019/11/19 10:29:25

Looking at the iptables rules behind the scenes it looks like it does the right thing from a quick look to me:

iptables-save > /tmp/a
firewall-cmd --add-source=
iptables-save > /tmp/b
diff -u /tmp/a /tmp/b

Given firewalld's ridiculous ruleset, the changes that makes are too big for a forum post!
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Posts: 2
Joined: 2019/11/19 09:48:22

Re: Confused as to what firewall-cmd --add-source<ip> does

Post by dalilama » 2019/11/19 11:06:38

Yes, I understood iptables, not perfectly but with a degree of confidence.
Suffice to say that in all the tests I have carried out the syntax of "firewall-cmd --add-source <ip>" does not whitelist the ip. I've even logged a ticket to Red Hat for an explanation but I haven't really got anywhere.

I would have liked to see the ip address added to the "INPUT" chain, but no, I see the following from a grep of iptables-save:
iptables-save | grep 172.16.100
And I really don't understand what the above is telling me.


User avatar
Posts: 271
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Confused as to what firewall-cmd --add-source<ip> does

Post by KernelOops » 2019/11/19 15:42:32

First of all, --add-source does NOT open any ports. Lets get that out of the way so we can move on.

--add-source binds an IP address (or mask, or MAC, or ipset) to a specific zone. Thats all it does.

So... if you run the command you mention above:

> firewall-cmd --zone=trusted --add-source=

basically all you've done, is to bind the IP to a zone named "trusted". On its own, it means absolutely nothing, unless you have modified the "trusted" zone to do something.

In other words, what you should be doing, is create a zone named "trusted", open various ports in that zone and add a source to that zone. The result, is an XML file under /etc/firewalld/zones, here is an example of such a zone that allows ports 80 and 443 for source IP

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
  <source address=""/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
I love my computer - all my friends live there.

User avatar
Posts: 2923
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Confused as to what firewall-cmd --add-source<ip> does

Post by jlehtone » 2019/11/19 17:06:42

Put other way:

A zone is what should be done for a packet. A zone does not care about the origin of the packet.

The "source" (or interface) decides, based on the origin, to which zone a packet is given.

Let's say interface's zone is 'public' (which is the default). Ssh is allowed from anywhere.
Then you add source to 'trusted'. Packets from are now handled by trusted, which does allow everything.
All other incoming traffic is still handled by the public.

Post Reply

Return to “CentOS 7 - Security Support”