firewalld rule "line numbers"

Issues related to configuring your network
Post Reply
Inishev
Posts: 18
Joined: 2015/06/19 13:23:26

firewalld rule "line numbers"

Post by Inishev » 2018/01/23 12:20:59

hi guys
i'm configure firewalld for outgoing pakets.
My chain view like this

Chain OUTPUT_direct (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 87.250.250.242 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 87.250.250.242 tcp dpt:443
3 ACCEPT tcp -- 0.0.0.0/0 217.69.139.200 tcp dpt:80
4 ACCEPT tcp -- 0.0.0.0/0 217.69.139.200 tcp dpt:443
5 ACCEPT tcp -- 0.0.0.0/0 94.100.180.201 tcp dpt:443
6 ACCEPT tcp -- 0.0.0.0/0 217.69.139.201 tcp dpt:443
7 ACCEPT tcp -- 0.0.0.0/0 94.100.180.200 tcp dpt:443
8 ACCEPT tcp -- 0.0.0.0/0 94.100.180.201 tcp dpt:80
9 ACCEPT tcp -- 0.0.0.0/0 217.69.139.201 tcp dpt:80
10 ACCEPT tcp -- 0.0.0.0/0 94.100.180.200 tcp dpt:80

and when i add rule

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j DROP

i have

Chain OUTPUT_direct (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 87.250.250.242 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 87.250.250.242 tcp dpt:443
3 ACCEPT tcp -- 0.0.0.0/0 217.69.139.200 tcp dpt:80
4 ACCEPT tcp -- 0.0.0.0/0 217.69.139.200 tcp dpt:443
5 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 94.100.180.201 tcp dpt:443
7 ACCEPT tcp -- 0.0.0.0/0 217.69.139.201 tcp dpt:443
8 ACCEPT tcp -- 0.0.0.0/0 94.100.180.200 tcp dpt:443
9 ACCEPT tcp -- 0.0.0.0/0 94.100.180.201 tcp dpt:80
10 ACCEPT tcp -- 0.0.0.0/0 217.69.139.201 tcp dpt:80
11 ACCEPT tcp -- 0.0.0.0/0 94.100.180.200 tcp dpt:80

why this rule added in middle chain?

Maybe firewall have anything like iptables line numbers?

p.s
ofcourse tonight i will reading http://www.firewalld.org/documentation/

thank you
Top
Inishev
Posts: 18
Joined: 2015/06/19 13:23:26

Re: firewalld rule "line numbers"

Post by Inishev » 2018/01/25 05:10:11

Thanks to all
i'm very stupid!
Very very stupid!

i tested rule

Code: Select all

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j DROP
and i noticed this number

Code: Select all

filter OUTPUT 1
I changed this number to 1000 and have result!

Thank for all!

Code: Select all

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1000 -p tcp -m tcp --dport 80 -j DROP
Notice i added this rule first, and then i add anothers rules
Top
Post Reply

Return to “CentOS 7 - Networking Support”