Removing all rich rules at ones

Support for security such as Firewalls and securing linux
wice22
Posts: 7
Joined: 2017/02/19 15:56:06

Removing all rich rules at ones

Postby wice22 » 2017/08/02 16:33:37

Hi
I have this rich rule :

Code: Select all

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32 ens33 ens34 ens35 ens38
  sources:
  services: dhcpv6-client dns ssh
  ports: 53/tcp 53/udp 22/tcp
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.40" forward-port port="22" protocol="tcp" to-port="22"


I tried to remove it with:

Code: Select all

# firewall-cmd --permanent --remove-rich-rule="rule family=\"ipv4\" source address=\"192.168.0.40\" forward-port port=\"22\" protocol=\"tcp\" to-port=\"22\""
Warning: NOT_ENABLED: rule family="ipv4" source address="192.168.0.40" forward-port port="22" protocol="tcp" to-port="22"

success

Code: Select all

# firewall-cmd --reload
# systemctl restart firewalld

But rule stays still ...

Code: Select all

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32 ens33 ens34 ens35 ens38
  sources:
  services: dhcpv6-client dns ssh
  ports: 53/tcp 53/udp 22/tcp
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.40" forward-port port="22" protocol="tcp" to-port="22"


Is there any way to FLUSH all rich rules or all configuration in firewalld as it was with iptables -F ?

User avatar
jlehtone
Posts: 1853
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Removing all rich rules at ones

Postby jlehtone » 2017/08/02 19:40:15

Why do you think that a removal that warns you about something is a success?

1. man 5 firewalld.richlanguage
for checking the syntax of rules

2.

Code: Select all

firewall-cmd --remove-rich-rule 'rule'

not

Code: Select all

firewall-cmd --remove-rich-rule "rule"


3. There is --remove-rich-rule 'rule' to check whether a rule is in use, i.e. is your syntax right.

macattack2241
Posts: 6
Joined: 2017/08/18 15:56:54

Re: Removing all rich rules at ones

Postby macattack2241 » 2017/08/18 16:39:52

Good catch about the double quotes vs single quotes. When I was first working with rich rules, I used this documentation to become familiar wtih the syntax (essentially the man pages, but in a nicer format):

https://fedoraproject.org/wiki/Features ... chLanguage