[ale] Firewalld rich rule sanity check

Jim Kinney jim.kinney at gmail.com
Tue Dec 3 14:01:36 EST 2019


Looks like time for a quick script to generate 15 rules.
You can also use a larger block after a hard exclusion as a filter. Or
use the small subnet and add the missing ones.
Either way, I would add the singles first (toward the top of the chain)
and the group at the bottom.
On Tue, 2019-12-03 at 18:53 +0000, Beddingfield, Allen via Ale wrote:
> Thanks.  I"m familiar with the syntax.  My specific question is
> around allowing a specified range of IP addresses that is not an
> exact subnet.
> So:In 192.168.0.0/24, I want to ONLY allow 192.168.0.80 through
> 192.168.0.95That range does not exactly match a subnet that can be
> defined.  The closest is:192.168.0.80/28.  The starting IP of that
> would be 192.168.0.81, and the ending would be 192.168.0.94.  The
> network IP is 192.168.0.80, and the broadcast address is
> 192.168.0.95.
> What is the best way to specify this?From what I can tell, firewalld
> doesn't allow for specifying an arbitrary range of ip addresses as
> source.  It can be a single IP or a network specified this way:
> 192.168.0.0/24
> The two ideas I had are:
> This:(In this example, will it be a problem that I'm specifying a
> separate rule for what is already defined to be a broadcast and
> network ip?)
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.80 port port=80 protocol=tcp accept' --permanent
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.80/28 port port=80 protocol=tcp accept' --
> permanent 
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.95 port port=80 protocol=tcp accept' --permanent
> Or This:firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.80 port port=80 protocol=tcp accept' --permanent
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.81 port port=80 protocol=tcp accept' --permanent
> etc...etc... through 
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.95 port port=80 protocol=tcp accept' --permanent
> Allen B.--Allen BeddingfieldSystems EngineerOffice of Information
> TechnologyThe University of AlabamaOffice 205-348-2251allen at ua.edu
> 
> 
> ________________________________________From: Lightner, Jeffrey <
> JLightner at dsservices.com>Sent: Tuesday, December 3, 2019 11:51 AMTo:
> Beddingfield, Allen; Atlanta Linux EnthusiastsSubject: RE: Firewalld
> rich rule sanity check
> When I've added an IP range I've done it like:firewall-cmd --
> zone=public --add-rich-rule 'rule family="ipv4"
> source  address="192.168.0.80/28" port port="80" protocol="tcp"
> accept' --permanent
> Where public was the firewalld default active zone.   You can define
> different zones for different NCIs so you may want to check the
> zone(s) assigned to your NIC(s) as it is important.   A key thing to
> know is you don't tell firewalld which NIC is in which zone -
> instead, you define the zone within the NIC's config.   (At least for
> RedHat derived OSes such as RHEL, Fedora and CentOS)
> -----Original Message-----From: Ale <ale-bounces at ale.org> On Behalf
> Of Beddingfield, Allen via AleSent: Tuesday, December 03, 2019 12:03
> PMTo: Atlanta Linux Enthusiasts <ale at ale.org>Subject: [ale] Firewalld
> rich rule sanity check
> I'm wondering about syntax for firewalld rich rules.For example, if I
> want to allow 192.168.0.80 through 192.168.0.95.81-.94 would be the
> start and end addresses of 192.168.0.80/28
> Could I do:firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.80 port port=80 protocol=tcp accept' --permanent
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent 
> firewall-cmd --add-rich-rule='rule family ipv4 source
> address=192.168.0.95 port port=80 protocol=tcp accept' --permanent
> Or, would it be an issue that I am explicitly defining a rule for
> what would be the network and broadcast address of a subnet I've
> defined in another rule?Am I going to have to do one rich rule per-
> ip?
> Ideally, I would like to be able to just specify a range of IP
> addresses, the way I used to be able to do pre-firewalld, but I can't
> find a way to do that (192.168.0.80:192.168.0.95).
> One rule per ip wouldn't be that big of a deal for the example above,
> but I have a situation where a vendor has provided a huge list of ip
> ranges to whitelist that don't cleanly fall along subnet
> boundaries.  Some are close, but none are exact.
> Thanks.Allen B.--Allen BeddingfieldSystems EngineerOffice of
> Information TechnologyThe University of AlabamaOffice 
> 205-348-2251allen at ua.edu
> _______________________________________________Ale mailing 
> listAle at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> _______________________________________________Ale mailing 
> listAle at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://heretothereideas.blogspot.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20191203/6a517a20/attachment.html>


More information about the Ale mailing list