Firewalld Rule Syntax
I’m still learning firewalld obviously, and I am having trouble groking the documentation to understand how to do this.
I know I could do an iptables direct, but that doesn’t seem like the
“right” way to do it.
What I’m trying to do is allow a specific service, only for a specific ip.
Effectively, SNMP should be allowed form a specific IP address (the systems monitor). What would be the most correct way of doing this?
Create a zone for the snmp, then add the associated interface to that zone?
firewall-cmd –zone=monitoring –add-source=1.2.3.4/32
firewall-cmd –zone=monitoring –add-service=snmp firewall-cmd –zone=monitoring –add-interface=ens192
firewall-cmd –runtime-to-permanent
Would this be an appropriate approach? Is it the ‘most correct’ way?
4 thoughts on - Firewalld Rule Syntax
I went ahead and tried this and found that the zone and service must first be created, which requires use of:
firewall-cmd –new-zone=monitoring –permanent (–permanent is required)
firewall-cmd –new-service=snmp
edit /etc/firewalld/services/snmp.xml:
snmp
Simple Network Management Protocol
firewall-cmd –reload
However, at the end firewall-cmd –zone=monitoring –add-interface=ens192
This results in a zone conflict. I’m not sure if it’s even possible to have two zones on the interface.
However, at the end
I don’t believe an interface can belong to multiple zones.
Instead I think you what a rich rule, the example below would add this to the default zone
firewall-cmd –add-rich-rule ‘rule family=“ipv4” source address=“x.x.x.x/16”
service name=“http” accept’
first be created, which requires use of:
have two zones on the interface.
A zone applies to a source network or interface.
Have a flick through:
https://www.hogarthuk.com/?q=node/9
Surprised SNMP isn’t already defined as a service in
/usr/lib/firewalld/services …. Perhaps snmpd ? Don’t have a system to hand to check.
I didn’t think to try “snmpd”, because “http” isn’t “httpd” and so on.
I was also surprised to not find SNMP defined, though it was easy enough to do so. I would have assumed that anything in /etc/services would be defined.