Configuring Complex Firewall Rules wit h t he "Rich Language"

Synt ax

With the “rich language ” s yntax, comple x fire wall rule s can be cre ate d in a way that is e as ie r to unde rs tand than the dire ct inte rface me thod. In addition, the s e ttings can be made pe rmane nt. The language us e s ke ywords with value s and is an abs tract

re pre s e ntation of ipt ables rule s . Zone s can be configure d us ing this language , the curre nt configuration me thod will s till be s upporte d.

4.5.15.1. Format of the Rich Language Commands

All the commands in this s e ction ne e d to be run as root. The format of the command to add a rule is as follows :

firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=seconds]

This will add a rich language rule rule for zone zone. This option can be s pe cifie d multiple time s . If the zone is omitte d, the de fault zone will be us e d. If a time out is s upplie d, the rule or rule s will be active for the amount of s e conds s pe cifie d and will be re move d automatically afte rwards .

To re move a rule :

firewall-cmd [--zone=zone] --remove-rich-rule='rule'

This will re move a rich language rule rule for zone zone. This option can be s pe cifie d multiple time s . If the zone is omitte d, the de fault zone will be us e d.

To che ck if a rule is pre s e nt:

firewall-cmd [--zone=zone] --query-rich-rule='rule'

This will re turn whe the r a rich language rule rule has be e n adde d for the zone zone. Prints yes with e xit s tatus 0, if e nable d, prints no with e xit s tatus 1 othe rwis e . If the zone is omitte d, the de fault zone will be us e d.

For information about the rich language re pre s e ntation us e d in the zone configuration file s , s e e the firewalld.zone(5) man page .

4.5.15.2. Understanding the Rich Rule Structure

The format or s tructure of the rich rule commands is as follows : rule [family="rule family"]

[ source address="address" [invert="True"] ]

[ destination address="address" [invert="True"] ] [ element ]

[ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]

[ audit ] [ action ]

A rule is as s ociate d with a particular zone . A zone can have s e ve ral rule s . If s ome rule s inte ract or contradict, the firs t rule that matche s the packe t applie s .

4.5.15.3. Understanding the Rich Rule Command Options

family

If the rule family is provide d, it can be e ithe r ipv4 or ipv6, it limits the rule to IPv4 or IPv6. If the rule family is not provide d, the rule will be adde d for both IPv4 and IPv6. If s ource or de s tination addre s s e s are us e d in a rule , the n the rule family ne e ds to be provide d. This is als o the cas e for port forwarding.

So urce and Dest inat io n Addresses

source

By s pe cifying the s ource addre s s the origin of a conne ction atte mpt can be

limite d to the s ource addre s s . A s ource addre s s or addre s s range is e ithe r an IP addre s s or a ne twork IP addre s s with a mas k for IPv4 or IPv6. The ne twork family (IPv4 or IPv6) will be automatically dis cove re d. For IPv4, the mas k can be a ne twork mas k or a plain numbe r. For IPv6 the mas k is a plain numbe r. The us e of hos t name s is not s upporte d. It is pos s ible to inve rt the s e ns e of the s ource addre s s command by adding invert="true" or invert="yes"; all but the s upplie d addre s s will match.

destination

By s pe cifying the de s tination addre s s the targe t can be limite d to the de s tination addre s s . The de s tination addre s s us e s the s ame s yntax as the s ource addre s s . The us e of s ource and de s tination addre s s e s is optional and the us e of a

de s tination addre s s e s is not pos s ible with all e le me nts . This de pe nds on the us e of de s tination addre s s e s , for e xample in s e rvice e ntrie s .

Element s

The e le me nt can be o nly o ne of the following e le me nt type s : service, port, protocol, masquerade, icmp-block and forward-port.

service

The s e rvice e le me nt is one of the f irewalld provide d s e rvice s . To ge t a lis t of the pre de fine d s e rvice s , is s ue the following command:

~]$ firewall-cmd --get-services

If a s e rvice provide s a de s tination addre s s , it will conflict with a de s tination addre s s in the rule and will re s ult in an e rror. The s e rvice s us ing de s tination addre s s e s inte rnally are mos tly s e rvice s us ing multicas t. The command take s the following form:

service name=service_name port

The port e le me nt can e ithe r be a s ingle port numbe r or a port range , for e xample , 5060-5062, followe d by the protocol, e ithe r as tcp or udp. The command take s the following form:

port port=number_or_range protocol=protocol protocol

The protocol value can be e ithe r a protocol ID numbe r or a protocol name . For allowe d protocol e ntrie s , s e e /etc/protocols. The command take s the following form:

protocol value=protocol_name_or_ID

icmp-block

Us e this command to block one or more ICMP type s . The ICMP type is one of the ICMP type s f irewalld s upports . To ge t a lis ting of s upporte d ICMP type s , is s ue the following command:

~]$ firewall-cmd --get-icmptypes

Spe cifying an action is not allowe d he re . icmp-block us e s the action reject inte rnally. The command take s the following form:

icmp-block name=icmptype_name masquerade

Turns on IP mas que rading in the rule . A s ource addre s s can be provide d to limit mas que rading to this are a, but not a de s tination addre s s . Spe cifying an action is not allowe d he re .

forward-port

Forward packe ts from a local port with protocol s pe cifie d as tcp or udp to e ithe r anothe r port locally, to anothe r machine , or to anothe r port on anothe r machine . The port and to-port can e ithe r be a s ingle port numbe r or a port range . The de s tination addre s s is a s imple IP addre s s . Spe cifying an action is not allowe d he re . The forward-port command us e s the action accept inte rnally. The command take s the following form:

forward-port port=number_or_range protocol=protocol / to-port=number_or_range to-addr=address

Lo gging

log

Log ne w conne ction atte mpts to the rule with ke rne l logging, for e xample in s ys log. You can de fine a pre fix te xt that will be adde d to the log me s s age as a pre fix. Log le ve l can be one of emerg, alert, crit, error, warning, notice, info or debug. The us e of log is optional. It is pos s ible to limit logging as follows :

log [prefix=prefix text] [level=log level] limit value=rate/duration

The rate is a natural pos itive numbe r [1, ..], the duration of s, m, h, d. s me ans s e conds , m minute s , h hours and d days . The maximum limit value is 1/d which me ans at maximum one log e ntry pe r day.

audit

Audit provide s an alte rnative way for logging us ing audit re cords s e nt to the s e rvice auditd. The audit type can be one of ACCEPT, REJECT or DROP but it is not s pe cifie d afte r the command audit as the audit type will be automatically

gathe re d from the rule action. Audit doe s not have its own parame te rs , but limit can be adde d optionally. The us e of audit is optional.

Act io n

accept|reject|drop

An action can be one of accept, reject or drop. The rule can only contain an e le me nt or a s ource . If the rule contains an e le me nt, the n ne w conne ctions

matching the e le me nt will be handle d with the action. If the rule contains a s ource , the n e ve rything from the s ource addre s s will be handle d with the action

s pe cifie d.

accept | reject [type=reject type] | drop

With accept all ne w conne ction atte mpts will be grante d. With reject the y will be re je cte d and the ir s ource will ge t a re je ct me s s age . The re je ct type can be s e t to us e anothe r value . With drop all packe ts will be droppe d imme diate ly and no information is s e nt to the s ource .

4.5.15.4. Using the Rich Rule Log Command

Logging can be done with the Net f ilt er log targe t and als o with the audit targe t. A ne w chain is adde d to all zone s with a name in the format “zone_log”, whe re zone is the zone name . This is proce s s e d be fore the deny chain in orde r to have prope r orde ring. The rule s or parts of the m are place d in s e parate chains , according to the action of the rule , as follows :

zone_log zone_deny zone_allow

All logging rule s will be place d in the “zone_log” chain, which will be pars e d firs t. All reject and drop rule s will be place d in the “zone_de ny” chain, which will be pars e d afte r the log chain. All accept rule s will be place d in the “zone_allow” chain, which will be pars e d afte r the deny chain. If a rule contains log and als o deny or allow actions , the parts are place d in the matching chains .

4.5.15.4.1. Using t he Rich Rule Lo g Co mmand Example 1

Enable ne w IPv4 and IPv6 conne ctions for authe ntication he ade r protocol AH:

rule protocol value="ah" accept

4.5.15.4.2. Using t he Rich Rule Lo g Co mmand Example 2

Allow ne w IPv4 and IPv6 conne ctions for protocol FTP and log 1 pe r minute us ing audit:

rule service name="ftp" log limit value="1/m" audit accept

4.5.15.4.3. Using t he Rich Rule Lo g Co mmand Example 3

Allow ne w IPv4 conne ctions from addre s s 192.168.0.0/24 for protocol TFTP and log 1 pe r minute us ing s ys log:

rule family="ipv4" source address="192.168.0.0/24" service name="tftp"

log prefix="tftp" level="info" limit value="1/m" accept

Ne w IPv6 conne ctions from 1:2:3:4:6:: for protocol RADIUS are all re je cte d and logge d at a rate of 3 pe r minute . Ne w IPv6 conne ctions from othe r s ource s are acce pte d:

rule family="ipv6" source address="1:2:3:4:6::" service name="radius"

log prefix="dns" level="info" limit value="3/m" reject rule family="ipv6" service name="radius" accept

4.5.15.4.5. Using t he Rich Rule Lo g Co mmand Example 5

Forward IPv6 packe ts re ce ive d from 1:2:3:4:6:: on port 4011 with protocol TCP to 1::2:3:4:7 on port 4012.

rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"

4.5.15.4.6. Using t he Rich Rule Lo g Co mmand Example 6

White lis t a s ource addre s s to allow all conne ctions from this s ource . rule family="ipv4" source address="192.168.2.2" accept Se e the firewalld.richlanguage(5) man page for more e xample s .