Hi, I have put my q in the below link, while nobody reply my question. can anyboby help me?
https://forum.iredmail.org/post80709.html#p80709
Rich-rule firewalld configuration
Firewalld rich rule
Hi, I want to control traffic. by firewalld and rich rules e.g. : just multiple IPS can have ssh or https access , or my server do not be allowed to have ssh access to the other servers in the same subnet. How can I write that rules?
I dont have telnet on port 22 from 192.168.15.34, what is wrong about my cmd?
rule family="ipv4" source address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="ssh Access" level="notice" accept
firewall-cmd --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 log prefix="Denied Access" level="notice" reject'
I dont have telnet on port 22 from 192.168.15.34, what is wrong about my cmd?
rule family="ipv4" source address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="https" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" service name="ping" log prefix="https Access" level="notice" accept
rule family="ipv4" destination address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="https Access" level="notice" accept
rule family="ipv4" source address="192.168.15.34/32" port port="22" protocol="tcp" log prefix="ssh Access" level="notice" accept
firewall-cmd --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 log prefix="Denied Access" level="notice" reject'
Re: Rich-rule firewalld configuration
It is not clear from either your explanation/example nor the other thread what you actually want.
Please explain without iptables or firewall fragments.
If I read correctly:
* Your server is in subnet a.b.c.d/p.
* You don't want to be able to connect to tcp/22 of any member of a.b.c.d/p
* IPS is a list if IP addresses
* You want to allow new, incoming connections to tcp/22 and tcp/443 from addresses IPS
* You don't want incoming connections to tcp/22 and tcp/443 from anywhere else
If so, there are clearly two zones:
* More permissize zone that allows incoming to tcp/22 and tcp/443 (aka services ssh and https)
* More permissive zone has IPS as sources
* Restricted zone that rejects everything
* Restricted zone is on the interface
The outgoing restriction probably requires rich rule or worse.
* We know that destination is a.b.c.d/p port tcp/22 and we want to reject new connections
Please explain without iptables or firewall fragments.
If I read correctly:
* Your server is in subnet a.b.c.d/p.
* You don't want to be able to connect to tcp/22 of any member of a.b.c.d/p
* IPS is a list if IP addresses
* You want to allow new, incoming connections to tcp/22 and tcp/443 from addresses IPS
* You don't want incoming connections to tcp/22 and tcp/443 from anywhere else
If so, there are clearly two zones:
* More permissize zone that allows incoming to tcp/22 and tcp/443 (aka services ssh and https)
* More permissive zone has IPS as sources
* Restricted zone that rejects everything
* Restricted zone is on the interface
The outgoing restriction probably requires rich rule or worse.
* We know that destination is a.b.c.d/p port tcp/22 and we want to reject new connections