Firewalld Rule Syntax

Home » CentOS » Firewalld Rule Syntax
CentOS 4 Comments

I’m still learning firewalld obviously, and I am having trouble groking the documentation to understand how to do this.

I know I could do an iptables direct, but that doesn’t seem like the
“right” way to do it.

What I’m trying to do is allow a specific service, only for a specific ip.

Effectively, SNMP should be allowed form a specific IP address (the systems monitor). What would be the most correct way of doing this?

Create a zone for the snmp, then add the associated interface to that zone?

firewall-cmd –zone=monitoring –add-source=1.2.3.4/32
firewall-cmd –zone=monitoring –add-service=snmp firewall-cmd –zone=monitoring –add-interface=ens192
firewall-cmd –runtime-to-permanent

Would this be an appropriate approach? Is it the ‘most correct’ way?

4 thoughts on - Firewalld Rule Syntax

  • I went ahead and tried this and found that the zone and service must first be created, which requires use of:

    firewall-cmd –new-zone=monitoring –permanent (–permanent is required)
    firewall-cmd –new-service=snmp

    edit /etc/firewalld/services/snmp.xml:


    snmp
    Simple Network Management Protocol

    firewall-cmd –reload

    However, at the end firewall-cmd –zone=monitoring –add-interface=ens192

    This results in a zone conflict. I’m not sure if it’s even possible to have two zones on the interface.

  • However, at the end

    I don’t believe an interface can belong to multiple zones.

    Instead I think you what a rich rule, the example below would add this to the default zone

    firewall-cmd –add-rich-rule ‘rule family=“ipv4” source address=“x.x.x.x/16”
    service name=“http” accept’

  • first be created, which requires use of:
    have two zones on the interface.

    A zone applies to a source network or interface.

    Have a flick through:
    https://www.hogarthuk.com/?q=node/9

    Surprised SNMP isn’t already defined as a service in
    /usr/lib/firewalld/services …. Perhaps snmpd ? Don’t have a system to hand to check.

  • I didn’t think to try “snmpd”, because “http” isn’t “httpd” and so on.

    I was also surprised to not find SNMP defined, though it was easy enough to do so. I would have assumed that anything in /etc/services would be defined.