Linux Firewalld rich rules

Rich rules provide a much greater level of control through more custom granular options. Rich rules can also be used to configure logging, masquerading, port forwarding, and rate limiting.

For Firewall basics, read this.
For Firewall Zones and Services, read this.
For Port-Forward and NAT, read this.

For further information on the syntax of rich rules and examples, see the manual page for firewalld.richlanguage.

man 5 firewalld.richlanguage

Once multiple rules are in place they will be processed in a certain order. Port forwarding and masquerading rules will be applied first, followed by any logging rules, then any allow rules, and finally any deny rules.
A packet will use the first rule it applies to in this order, if it does not match a rule it will hit the default deny.

–add-rich-rule=’RULE’ is used to add a specified rule.
–list-rich-rules is used to show rich rules for specific zone.
–remove-rich-rule=’rule’ is used to remove a specific rule.

General rich rule structure

rule [family="<rule family>"]
  [ source address="<address>" [invert="True"] ]
  [ destination address="<address>" [invert="True"] ]
  [ <element> ]
  [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="<rate/duration>"] ]
  [ audit [limit value="<rate/duration>"] ]
  <action>

family= ipv4 or ipv6
source address= IP or subnet , source mac= mac-address
destination address= IP or subnet
service name=“<service name>”
port port=“<port value>” protocol=“tcp|udp”
Log or Audit
Actions : accept | reject [type=“<reject type>”] | drop

 

For Example: allowing traffic from the range 10.1.1.0/24 into only 192.168.1.10/32 through TCP ports range from 8080 through to 8090.

[root@akm ~]# firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.1.1.0/24 destination address=192.168.1.10/32 port port=8080-8090 protocol=tcp accept'
success
[root@akm ~]# firewall-cmd --reload 
success
[root@akm ~]# firewall-cmd --zone=external --list-rich-rules 
rule family="ipv4" source address="10.1.1.0/24" destination address="192.168.1.10/32" port port="8080-8090" protocol="tcp" accept
[root@a ~]#

To remove that rule :

[root@akm ~]# firewall-cmd --permanent --zone=external --remove-rich-rule='rule family=ipv4 source address=10.1.1.0/24 destination address=192.168.1.10/32 port port=8080-8090 protocol=tcp accept'
success
[root@akm ~]# firewall-cmd --reload 
success
[root@akm ~]# firewall-cmd --zone=external --list-rich-rules 

[root@akm ~] 

To reject all traffic from a specific IP :

[root@a ~]# firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.100/24 reject'
success
[root@a ~]# firewall-cmd --reload 
success
[root@a ~]# firewall-cmd --zone=external --list-rich-rules 
rule family="ipv4" source address="192.168.1.100/24" reject
[root@a ~]#

Rate Limiting and Log

To use Rich rules for rate limiting traffic, here we limit incoming SSH connections to 10 per minute.

[root@akm ~]# firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=10/m accept'

It is helpful to avoid higher CPU/RAM usage on servers like web servers or others.

Rich rules can also be used to send messages to a log file, and this logging can also be rate limited. Here we log SSH connections from 192.168.1.0/24 but at a rate of no more than 50 log entries per minute. Only logs of level ‘info’ or more important will be logged, and add prefix to the log lines for easier search we called it ‘ssh’.

[root@akm ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" log prefix="ssh" level="info" limit value="50/m" accept'

NAT and Port-Forward

It is so similar to normal basic Port-Forward and NAT.
Masquerade can only be done with IPv4.
Rich rules can be used for more granular control.

In this example anything from the source 192.168.1.0/24 specifically will be masqueraded  ( per IP range NOT every thing per interface like basic NAT).

[root@akm ~]# firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'

Port Forwarding also similar to normal Port-Forward and NAT , But Rich rules can again be used for more granular control.
In this instance we can specify a specific source address within the test zone rather than the whole zone.

[root@akm ~]# firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=22 protocol=tcp to-port=2222 to-addr=10.1.1.10'

Now the Forward rule will be applied only on the subnet 192.168.1.0/24, (NOT from all sources that came to a n interface like basic port forwarding ).

Advanced firewall can filter based on source or destination or protocol and ports , can log and audit and give us more granular control , that is what we did with firewalld Rich-Rules.

That is it , i hope it was simple , thanks for joining me.
Enjoy !.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s