[ale] Firewalld rich rule sanity check

Lightner, Jeffrey JLightner at dsservices.com
Tue Dec 3 16:47:40 EST 2019 

In your first question you seemed to indicate you just wanted to avoid the first and last IP of a subnet range so as not to include the broadcast.   I don't see the need to do that.

You now seem to be saying the range you want something other than one where you just want to exclude the first and last of the subnet range.

If so, it appears you'll have to do the script for the individual IPs because the man page makes it clear you can't really do subsets of a network as your range:

"A source address or address range is either 
an IP address 
or a network IP address with a mask for IPv4 or IPv6
or a MAC address or an ipset with the ipset: prefix. 
For IPv4, the mask can be a network mask or a   plain number."

You might be able to make your script smaller by using multiple subnets with masks to cover the bulk of the range which is smaller than the overall range then add individual IPs (e.g. multiple /26 subnets based on start/end of ranges within a broader /24).

-----Original Message-----
From: Ale <ale-bounces at ale.org> On Behalf Of Beddingfield, Allen via Ale
Sent: Tuesday, December 03, 2019 2:05 PM
To: Atlanta Linux Enthusiasts <ale at ale.org>
Subject: Re: [ale] Firewalld rich rule sanity check

Yeah, it seems to be a major lacking feature that you can't just specify a range.
The problem is that it won't be 15.  It will be a few hundred.  I've got a page of ranges like that to allow.  Sure it will work, but it seems like there should be a cleaner way (start ip:end ip) Allen B.

--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu


________________________________________
From: Jim Kinney <jim.kinney at gmail.com>
Sent: Tuesday, December 3, 2019 1:01 PM
To: Beddingfield, Allen; Atlanta Linux Enthusiasts
Subject: Re: [ale] Firewalld rich rule sanity check

Looks like time for a quick script to generate 15 rules.

You can also use a larger block after a hard exclusion as a filter. Or use the small subnet and add the missing ones.

Either way, I would add the singles first (toward the top of the chain) and the group at the bottom.

On Tue, 2019-12-03 at 18:53 +0000, Beddingfield, Allen via Ale wrote:

Thanks.  I"m familiar with the syntax.  My specific question is around allowing a specified range of IP addresses that is not an exact subnet.


So:

In 192.168.0.0/24, I want to ONLY allow 192.168.0.80 through 192.168.0.95

That range does not exactly match a subnet that can be defined.  The closest is:

192.168.0.80/28.  The starting IP of that would be 192.168.0.81, and the ending would be 192.168.0.94.  The network IP is 192.168.0.80, and the broadcast address is 192.168.0.95.


What is the best way to specify this?

>From what I can tell, firewalld doesn't allow for specifying an 
>arbitrary range of ip addresses as source.  It can be a single IP or a 
>network specified this way: 192.168.0.0/24


The two ideas I had are:


This:

(In this example, will it be a problem that I'm specifying a separate rule for what is already defined to be a broadcast and network ip?)


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent


Or This:

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.81 port port=80 protocol=tcp accept' --permanent


etc...etc... through


firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent


Allen B.

--

Allen Beddingfield

Systems Engineer

Office of Information Technology

The University of Alabama

Office 205-348-2251

<mailto:allen at ua.edu>

allen at ua.edu




________________________________________

From: Lightner, Jeffrey <

<mailto:JLightner at dsservices.com>

JLightner at dsservices.com

>

Sent: Tuesday, December 3, 2019 11:51 AM

To: Beddingfield, Allen; Atlanta Linux Enthusiasts

Subject: RE: Firewalld rich rule sanity check


When I've added an IP range I've done it like:

firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source  address="192.168.0.80/28" port port="80" protocol="tcp" accept' --permanent


Where public was the firewalld default active zone.   You can define different zones for different NCIs so you may want to check the zone(s) assigned to your NIC(s) as it is important.   A key thing to know is you don't tell firewalld which NIC is in which zone - instead, you define the zone within the NIC's config.   (At least for RedHat derived OSes such as RHEL, Fedora and CentOS)


-----Original Message-----

From: Ale <

<mailto:ale-bounces at ale.org>

ale-bounces at ale.org

> On Behalf Of Beddingfield, Allen via Ale

Sent: Tuesday, December 03, 2019 12:03 PM

To: Atlanta Linux Enthusiasts <

<mailto:ale at ale.org>

ale at ale.org

>

Subject: [ale] Firewalld rich rule sanity check


I'm wondering about syntax for firewalld rich rules.

For example, if I want to allow 192.168.0.80 through 192.168.0.95

.81-.94 would be the start and end addresses of 192.168.0.80/28


Could I do:

firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent


Or, would it be an issue that I am explicitly defining a rule for what would be the network and broadcast address of a subnet I've defined in another rule?

Am I going to have to do one rich rule per-ip?


Ideally, I would like to be able to just specify a range of IP addresses, the way I used to be able to do pre-firewalld, but I can't find a way to do that (192.168.0.80:192.168.0.95).


One rule per ip wouldn't be that big of a deal for the example above, but I have a situation where a vendor has provided a huge list of ip ranges to whitelist that don't cleanly fall along subnet boundaries.  Some are close, but none are exact.


Thanks.

Allen B.

--

Allen Beddingfield

Systems Engineer

Office of Information Technology

The University of Alabama

Office 205-348-2251

<mailto:allen at ua.edu>

allen at ua.edu


_______________________________________________

Ale mailing list

<mailto:Ale at ale.org>

Ale at ale.org


<https://mail.ale.org/mailman/listinfo/ale>

https://mail.ale.org/mailman/listinfo/ale


See JOBS, ANNOUNCE and SCHOOLS lists at

<http://mail.ale.org/mailman/listinfo>

http://mail.ale.org/mailman/listinfo


_______________________________________________

Ale mailing list

<mailto:Ale at ale.org>

Ale at ale.org


<https://mail.ale.org/mailman/listinfo/ale>

https://mail.ale.org/mailman/listinfo/ale


See JOBS, ANNOUNCE and SCHOOLS lists at

<http://mail.ale.org/mailman/listinfo>

http://mail.ale.org/mailman/listinfo


--

James P. Kinney III Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog. - Speech 11/23/1900 Mark Twain http://heretothereideas.blogspot.com/
_______________________________________________
Ale mailing list
Ale at ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list