Questo contenuto non è disponibile nella lingua selezionata.
5.15. Configuring Complex Firewall Rules with the "Rich Language" Syntax
With the “rich language” syntax, complex firewall rules can be created in a way that is easier to understand than the direct-interface method. In addition, the settings can be made permanent. The language uses keywords with values and is an abstract representation of iptables rules. Zones can be configured using this language; the current configuration method will still be supported.
5.15.1. Formatting of the Rich Language Commands
All the commands in this section need to be run as
root
. The format of the command to add a rule is as follows:
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used. If a timeout is supplied, the rule or rules only stay active for the amount of time specified and will be removed automatically afterwards. The time value can be followed by
s
(seconds), m
(minutes), or h
(hours) to specify the unit of time. The default is seconds.
To remove a rule:
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will remove a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used.
To check if a rule is present:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will return whether a rich language rule rule has been added for the zone zone. The command prints
yes
with exit status 0
if enabled. It prints no
with exit status 1
otherwise. If the zone is omitted, the default zone is used.
For information about the rich language representation used in the zone configuration files, see the firewalld.zone(5) man page.
5.15.2. Understanding the Rich Rule Structure
The format or structure of the rich rule commands is as follows:
rule [family="rule family"] [ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ] [ destination [NOT] address="address" ] [ element ] [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ] [ audit ] [ action ]
Note
The structure of the rich rule in the file uses the
NOT
keyword to invert the sense of the source and destination address commands, but the command line uses the invert
="true" option.
A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.
5.15.3. Understanding the Rich Rule Command Options
family
- If the rule family is provided, either
ipv4
oripv6
, it limits the rule toIPv4
orIPv6
, respectively. If the rule family is not provided, the rule is added for bothIPv4
andIPv6
. If source or destination addresses are used in a rule, then the rule family needs to be provided. This is also the case for port forwarding.
Source and Destination Addresses
source
- By specifying the source address, the origin of a connection attempt can be limited to the source address. A source address or address range is either an IP address or a network IP address with a mask for
IPv4
orIPv6
. ForIPv4
, the mask can be a network mask or a plain number. ForIPv6
, the mask is a plain number. The use of host names is not supported. It is possible to invert the sense of the source address command by adding theNOT
keyword; all but the supplied address matches.A MAC address and also an IP set with typecan be added forIPv4
andIPv6
if nofamily
is specified for the rule. Other IP sets need to match thefamily
setting of the rule. destination
- By specifying the destination address, the target can be limited to the destination address. The destination address uses the same syntax as the source address for IP address or address ranges. The use of source and destination addresses is optional, and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses, for example, in service entries. You can combine
destination
andaction
.
Elements
The element can be only one of the following element types:
service
, port
, protocol
, masquerade
, icmp-block
, forward-port
, and source-port
.
service
- The
service
element is one of the firewalld provided services. To get a list of the predefined services, enter the following command:~]$
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast. The command takes the following form:firewall-cmd --get-services
service name=service_name
port
- The
port
element can either be a single port number or a port range, for example,5060-5062
, followed by the protocol, either astcp
orudp
. The command takes the following form:port port=number_or_range protocol=protocol
protocol
- The
protocol
value can be either a protocol ID number or a protocol name. For allowedprotocol
entries, see/etc/protocols
. The command takes the following form:protocol value=protocol_name_or_ID
icmp-block
- Use this command to block one or more
ICMP
types. TheICMP
type is one of theICMP
types firewalld supports. To get a listing of supportedICMP
types, enter the following command:~]$
Specifying an action is not allowed here.firewall-cmd --get-icmptypes
icmp-block
uses the actionreject
internally. The command takes the following form:icmp-block name=icmptype_name
masquerade
- Turns on IP masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. Specifying an action is not allowed here.
forward-port
- Forward packets from a local port with protocol specified as
tcp
orudp
to either another port locally, to another machine, or to another port on another machine. Theport
andto-port
can either be a single port number or a port range. The destination address is a simple IP address. Specifying an action is not allowed here. Theforward-port
command uses the actionaccept
internally. The command takes the following form:forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
source-port
- Matches the source port of the packet - the port that is used on the origin of a connection attempt. To match a port on current machine, use the
port
element. Thesource-port
element can either be a single port number or a port range (for example, 5060-5062) followed by the protocol astcp
orudp
. The command takes the following form:source-port port=number_or_range protocol=protocol
Logging
log
- Log new connection attempts to the rule with kernel logging, for example, in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of
emerg
,alert
,crit
,error
,warning
,notice
,info
, ordebug
. The use of log is optional. It is possible to limit logging as follows:
The rate is a natural positive number [1, ..], with the duration oflog [prefix=prefix text] [level=log level] limit value=rate/duration
s
,m
,h
,d
.s
means seconds,m
means minutes,h
means hours, andd
days. The maximum limit value is1/d
, which means at maximum one log entry per day. audit
- Audit provides an alternative way for logging using audit records sent to the service
auditd
. The audit type can be one ofACCEPT
,REJECT
, orDROP
, but it is not specified after the commandaudit
as the audit type will be automatically gathered from the rule action. Audit does not have its own parameters, but limit can be added optionally. The use of audit is optional.
Action
accept|reject|drop|mark
- An action can be one of
accept
,reject
,drop
, ormark
. The rule can only contain an element or a source. If the rule contains an element, then new connections matching the element will be handled with the action. If the rule contains a source, then everything from the source address will be handled with the action specified.accept | reject [type=reject type] | drop | mark set="mark[/mask]"
Withaccept
, all new connection attempts will be granted. Withreject
, they will be rejected and their source will get a reject message. The reject type can be set to use another value. Withdrop
, all packets will be dropped immediately and no information is sent to the source. Withmark
all packets will be marked with the given mark and the optional mask.
5.15.4. Using the Rich Rule Log Command
Logging can be done with the Netfilter log target and also with the audit target. A new chain is added to all zones with a name in the format “zone_log”, where zone is the zone name. This is processed before the
deny
chain to have the proper ordering. The rules or parts of them are placed in separate chains, according to the action of the rule, as follows:
zone_log zone_deny zone_allow
All logging rules will be placed in the “zone_log” chain, which will be parsed first. All
reject
and drop
rules will be placed in the “zone_deny” chain, which will be parsed after the log chain. All accept
rules will be placed in the “zone_allow” chain, which will be parsed after the deny
chain. If a rule contains log
and also deny
or allow
actions, the parts of the rule that specify these actions are placed in the matching chains.
5.15.4.1. Using the Rich Rule Log Command Example 1
Enable new
IPv4
and IPv6
connections for authentication header protocol AH
:
rule protocol value="ah" accept
5.15.4.2. Using the Rich Rule Log Command Example 2
Allow new
IPv4
and IPv6
connections for protocol FTP
and log 1 per minute using audit:
rule service name="ftp" log limit value="1/m" audit accept
5.15.4.3. Using the Rich Rule Log Command Example 3
Allow new
IPv4
connections from address 192.168.0.0/24
for protocol TFTP
and log 1 per minute using syslog:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
5.15.4.4. Using the Rich Rule Log Command Example 4
New
IPv6
connections from 1:2:3:4:6::
for protocol RADIUS
are all rejected and logged at a rate of 3 per minute. New IPv6
connections from other sources are accepted:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject rule family="ipv6" service name="radius" accept
5.15.4.5. Using the Rich Rule Log Command Example 5
Forward
IPv6
packets received from 1:2:3:4:6::
on port 4011 with protocol TCP
to 1::2:3:4:7
on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
5.15.4.6. Using the Rich Rule Log Command Example 6
Whitelist a source address to allow all connections from this source.
rule family="ipv4" source address="192.168.2.2" accept
See the
firewalld.richlanguage(5)
man page for more examples.