[ale] Firewalld rich rule sanity check

Beddingfield, Allen allen at ua.edu
Tue Dec 3 14:04:52 EST 2019 

Yeah, it seems to be a major lacking feature that you can't just specify a range.
The problem is that it won't be 15.  It will be a few hundred.  I've got a page of ranges like that to allow.  Sure it will work, but it seems like there should be a cleaner way (start ip:end ip)
Allen B.

--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu


________________________________________
From: Jim Kinney <jim.kinney at gmail.com>
Sent: Tuesday, December 3, 2019 1:01 PM
To: Beddingfield, Allen; Atlanta Linux Enthusiasts
Subject: Re: [ale] Firewalld rich rule sanity check

Looks like time for a quick script to generate 15 rules.

You can also use a larger block after a hard exclusion as a filter. Or use the small subnet and add the missing ones.

Either way, I would add the singles first (toward the top of the chain) and the group at the bottom.

On Tue, 2019-12-03 at 18:53 +0000, Beddingfield, Allen via Ale wrote:

Thanks.  I"m familiar with the syntax.  My specific question is around allowing a specified range of IP addresses that is not an exact subnet.


So:

In 192.168.0.0/24, I want to ONLY allow 192.168.0.80 through 192.168.0.95

That range does not exactly match a subnet that can be defined.  The closest is:

192.168.0.80/28.  The starting IP of that would be 192.168.0.81, and the ending would be 192.168.0.94.  The network IP is 192.168.0.80, and the broadcast address is 192.168.0.95.


What is the best way to specify this?

>From what I can tell, firewalld doesn't allow for specifying an arbitrary range of ip addresses as source.  It can be a single IP or a network specified this way: 192.168.0.0/24


The two ideas I had are:


This:

(In this example, will it be a problem that I'm specifying a separate rule for what is already defined to be a broadcast and network ip?)


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent


Or This:

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.81 port port=80 protocol=tcp accept' --permanent


etc...etc... through


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent


Allen B.

--

Allen Beddingfield

Systems Engineer

Office of Information Technology

The University of Alabama

Office 205-348-2251

<mailto:allen at ua.edu>

allen at ua.edu




________________________________________

From: Lightner, Jeffrey <

<mailto:JLightner at dsservices.com>

JLightner at dsservices.com

>

Sent: Tuesday, December 3, 2019 11:51 AM

To: Beddingfield, Allen; Atlanta Linux Enthusiasts

Subject: RE: Firewalld rich rule sanity check


When I've added an IP range I've done it like:

firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source  address="192.168.0.80/28" port port="80" protocol="tcp" accept' --permanent


Where public was the firewalld default active zone.   You can define different zones for different NCIs so you may want to check the zone(s) assigned to your NIC(s) as it is important.   A key thing to know is you don't tell firewalld which NIC is in which zone - instead, you define the zone within the NIC's config.   (At least for RedHat derived OSes such as RHEL, Fedora and CentOS)


-----Original Message-----

From: Ale <

<mailto:ale-bounces at ale.org>

ale-bounces at ale.org

> On Behalf Of Beddingfield, Allen via Ale

Sent: Tuesday, December 03, 2019 12:03 PM

To: Atlanta Linux Enthusiasts <

<mailto:ale at ale.org>

ale at ale.org

>

Subject: [ale] Firewalld rich rule sanity check


I'm wondering about syntax for firewalld rich rules.

For example, if I want to allow 192.168.0.80 through 192.168.0.95

.81-.94 would be the start and end addresses of 192.168.0.80/28


Could I do:

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent


Or, would it be an issue that I am explicitly defining a rule for what would be the network and broadcast address of a subnet I've defined in another rule?

Am I going to have to do one rich rule per-ip?


Ideally, I would like to be able to just specify a range of IP addresses, the way I used to be able to do pre-firewalld, but I can't find a way to do that (192.168.0.80:192.168.0.95).


One rule per ip wouldn't be that big of a deal for the example above, but I have a situation where a vendor has provided a huge list of ip ranges to whitelist that don't cleanly fall along subnet boundaries.  Some are close, but none are exact.


Thanks.

Allen B.

--

Allen Beddingfield

Systems Engineer

Office of Information Technology

The University of Alabama

Office 205-348-2251

<mailto:allen at ua.edu>

allen at ua.edu


_______________________________________________

Ale mailing list

<mailto:Ale at ale.org>

Ale at ale.org


<https://mail.ale.org/mailman/listinfo/ale>

https://mail.ale.org/mailman/listinfo/ale


See JOBS, ANNOUNCE and SCHOOLS lists at

<http://mail.ale.org/mailman/listinfo>

http://mail.ale.org/mailman/listinfo


_______________________________________________

Ale mailing list

<mailto:Ale at ale.org>

Ale at ale.org


<https://mail.ale.org/mailman/listinfo/ale>

https://mail.ale.org/mailman/listinfo/ale


See JOBS, ANNOUNCE and SCHOOLS lists at

<http://mail.ale.org/mailman/listinfo>

http://mail.ale.org/mailman/listinfo


--

James P. Kinney III Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog. - Speech 11/23/1900 Mark Twain http://heretothereideas.blogspot.com/

More information about the Ale mailing list