[ale] Firewalld rich rule sanity check

Beddingfield, Allen allen at ua.edu
Tue Dec 3 13:53:54 EST 2019 

Thanks.  I"m familiar with the syntax.  My specific question is around allowing a specified range of IP addresses that is not an exact subnet.

So:
In 192.168.0.0/24, I want to ONLY allow 192.168.0.80 through 192.168.0.95
That range does not exactly match a subnet that can be defined.  The closest is:
192.168.0.80/28.  The starting IP of that would be 192.168.0.81, and the ending would be 192.168.0.94.  The network IP is 192.168.0.80, and the broadcast address is 192.168.0.95.

What is the best way to specify this?
>From what I can tell, firewalld doesn't allow for specifying an arbitrary range of ip addresses as source.  It can be a single IP or a network specified this way: 192.168.0.0/24

The two ideas I had are:

This:
(In this example, will it be a problem that I'm specifying a separate rule for what is already defined to be a broadcast and network ip?)

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent 

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent

Or This:
firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.81 port port=80 protocol=tcp accept' --permanent

etc...etc... through 

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent

Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu


________________________________________
From: Lightner, Jeffrey <JLightner at dsservices.com>
Sent: Tuesday, December 3, 2019 11:51 AM
To: Beddingfield, Allen; Atlanta Linux Enthusiasts
Subject: RE: Firewalld rich rule sanity check

When I've added an IP range I've done it like:
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source  address="192.168.0.80/28" port port="80" protocol="tcp" accept' --permanent

Where public was the firewalld default active zone.   You can define different zones for different NCIs so you may want to check the zone(s) assigned to your NIC(s) as it is important.   A key thing to know is you don't tell firewalld which NIC is in which zone - instead, you define the zone within the NIC's config.   (At least for RedHat derived OSes such as RHEL, Fedora and CentOS)

-----Original Message-----
From: Ale <ale-bounces at ale.org> On Behalf Of Beddingfield, Allen via Ale
Sent: Tuesday, December 03, 2019 12:03 PM
To: Atlanta Linux Enthusiasts <ale at ale.org>
Subject: [ale] Firewalld rich rule sanity check

I'm wondering about syntax for firewalld rich rules.
For example, if I want to allow 192.168.0.80 through 192.168.0.95
.81-.94 would be the start and end addresses of 192.168.0.80/28

Could I do:
firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent

Or, would it be an issue that I am explicitly defining a rule for what would be the network and broadcast address of a subnet I've defined in another rule?
Am I going to have to do one rich rule per-ip?

Ideally, I would like to be able to just specify a range of IP addresses, the way I used to be able to do pre-firewalld, but I can't find a way to do that (192.168.0.80:192.168.0.95).

One rule per ip wouldn't be that big of a deal for the example above, but I have a situation where a vendor has provided a huge list of ip ranges to whitelist that don't cleanly fall along subnet boundaries.  Some are close, but none are exact.

Thanks.
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu
_______________________________________________
Ale mailing list
Ale at ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list