[ale] Firewalld rich rule sanity check

Beddingfield, Allen allen at ua.edu
Tue Dec 3 12:03:24 EST 2019


I'm wondering about syntax for firewalld rich rules.
For example, if I want to allow 192.168.0.80 through 192.168.0.95
.81-.94 would be the start and end addresses of 192.168.0.80/28

Could I do:
firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent
firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent
firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent

Or, would it be an issue that I am explicitly defining a rule for what would be the network and broadcast address of a subnet I've defined in another rule?
Am I going to have to do one rich rule per-ip?

Ideally, I would like to be able to just specify a range of IP addresses, the way I used to be able to do pre-firewalld, but I can't find a way to do that (192.168.0.80:192.168.0.95).

One rule per ip wouldn't be that big of a deal for the example above, but I have a situation where a vendor has provided a huge list of ip ranges to whitelist that don't cleanly fall along subnet boundaries.  Some are close, but none are exact.

Thanks.
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu


More information about the Ale mailing list