firewalld driving me barmy.

Sebzy · 06-08-2014 04:10PM #1

Just setting up new RHEL7 box and trying to get my head around firewalld.

Been using iptables for all my rules now for years and was quite happy.

Typically I would setup a rule like this in /etc/sysconfig/iptables and restart the firewall.

-A INPUT -s 10.10.1.0/24 -p tcp -m tcp --dport 22-j ACCEPT -m comment --comment "private ssh for admin"

Now with firewalld I have two choices

1. Use a zone and a service
firewall-cmd --permanent --add-service=ssh
Looks good but how do I customize the service definition to specify a source network??

2. Use a direct rule such as this.
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -s 10.10.1.0/24 -j ACCEPT -m comment --comment "private ssh for admin"
but when restarting firewalld I loose my rule. I'm unable to use --permanent in conjunction with --direct

If anyone has any advice on the best way to configure this it would be very welcome.

ressem · 07-08-2014 01:58PM

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.1.0/24" service name="ssh" accept'

which will add the rich rule into your default zone (/etc/firewalld/zones/) probably public.xml.

Sebzy · 07-08-2014 03:42PM

ressem wrote: »
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.1.0/24" service name="ssh" accept'
which will add the rich rule into your default zone (/etc/firewalld/zones/) probably public.xml.

Thanks for that. Now if there was some way to embed comments my life would be so much simpler.

firewalld driving me barmy.

Comments