I had thought that "firewall-cmd --add-source<ip>" opens up all server ports to the ip address given, effectively whitelisting the ip address. It does not do that. What exactly does it do ? This should be simple to understand but I don't.
I read the following on Red Hat support site
>The following procedure allows all incoming traffic from 192.168.2.15 in the trusted zone:
> firewall-cmd --zone=trusted --add-source=192.168.2.15
I read this as if the interface in in the trusted zone then it is open to all traffic from 192.168.2.15
I have tried this syntax with the public zone but it does not work.
Traffic from the specified ip address is still blocked
Thanks
George
Confused as to what firewall-cmd --add-source<ip> does
Re: Confused as to what firewall-cmd --add-source<ip> does
Looking at the iptables rules behind the scenes it looks like it does the right thing from a quick look to me:
iptables-save > /tmp/a
firewall-cmd --add-source=192.168.2.15
iptables-save > /tmp/b
diff -u /tmp/a /tmp/b
Given firewalld's ridiculous ruleset, the changes that makes are too big for a forum post!
iptables-save > /tmp/a
firewall-cmd --add-source=192.168.2.15
iptables-save > /tmp/b
diff -u /tmp/a /tmp/b
Given firewalld's ridiculous ruleset, the changes that makes are too big for a forum post!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Confused as to what firewall-cmd --add-source<ip> does
Yes, I understood iptables, not perfectly but with a degree of confidence.
Suffice to say that in all the tests I have carried out the syntax of "firewall-cmd --add-source <ip>" does not whitelist the ip. I've even logged a ticket to Red Hat for an explanation but I haven't really got anywhere.
I would have liked to see the ip address added to the "INPUT" chain, but no, I see the following from a grep of iptables-save:
iptables-save | grep 172.16.100
-A POSTROUTING_ZONES_SOURCE -d 172.16.100.0/23 -g POST_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A FORWARD_IN_ZONES_SOURCE -s 172.16.100.0/23 -g FWDI_public
-A FORWARD_OUT_ZONES_SOURCE -d 172.16.100.0/23 -g FWDO_public
-A INPUT_ZONES_SOURCE -s 172.16.100.0/23 -g IN_public
And I really don't understand what the above is telling me.
Thanks
George
Suffice to say that in all the tests I have carried out the syntax of "firewall-cmd --add-source <ip>" does not whitelist the ip. I've even logged a ticket to Red Hat for an explanation but I haven't really got anywhere.
I would have liked to see the ip address added to the "INPUT" chain, but no, I see the following from a grep of iptables-save:
iptables-save | grep 172.16.100
-A POSTROUTING_ZONES_SOURCE -d 172.16.100.0/23 -g POST_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A PREROUTING_ZONES_SOURCE -s 172.16.100.0/23 -g PRE_public
-A FORWARD_IN_ZONES_SOURCE -s 172.16.100.0/23 -g FWDI_public
-A FORWARD_OUT_ZONES_SOURCE -d 172.16.100.0/23 -g FWDO_public
-A INPUT_ZONES_SOURCE -s 172.16.100.0/23 -g IN_public
And I really don't understand what the above is telling me.
Thanks
George
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Confused as to what firewall-cmd --add-source<ip> does
First of all, --add-source does NOT open any ports. Lets get that out of the way so we can move on.
--add-source binds an IP address (or mask, or MAC, or ipset) to a specific zone. Thats all it does.
So... if you run the command you mention above:
> firewall-cmd --zone=trusted --add-source=192.168.2.15
basically all you've done, is to bind the IP 192.168.2.15 to a zone named "trusted". On its own, it means absolutely nothing, unless you have modified the "trusted" zone to do something.
In other words, what you should be doing, is create a zone named "trusted", open various ports in that zone and add a source to that zone. The result, is an XML file under /etc/firewalld/zones, here is an example of such a zone that allows ports 80 and 443 for source IP 192.168.2.15.
--add-source binds an IP address (or mask, or MAC, or ipset) to a specific zone. Thats all it does.
So... if you run the command you mention above:
> firewall-cmd --zone=trusted --add-source=192.168.2.15
basically all you've done, is to bind the IP 192.168.2.15 to a zone named "trusted". On its own, it means absolutely nothing, unless you have modified the "trusted" zone to do something.
In other words, what you should be doing, is create a zone named "trusted", open various ports in that zone and add a source to that zone. The result, is an XML file under /etc/firewalld/zones, here is an example of such a zone that allows ports 80 and 443 for source IP 192.168.2.15.
Code: Select all
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>trusted</short>
<description>trusted</description>
<source address="192.168.2.15"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
</zone>
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Confused as to what firewall-cmd --add-source<ip> does
Put other way:
A zone is what should be done for a packet. A zone does not care about the origin of the packet.
The "source" (or interface) decides, based on the origin, to which zone a packet is given.
Let's say interface's zone is 'public' (which is the default). Ssh is allowed from anywhere.
Then you add source 8.8.8.8 to 'trusted'. Packets from 8.8.8.8 are now handled by trusted, which does allow everything.
All other incoming traffic is still handled by the public.
A zone is what should be done for a packet. A zone does not care about the origin of the packet.
The "source" (or interface) decides, based on the origin, to which zone a packet is given.
Let's say interface's zone is 'public' (which is the default). Ssh is allowed from anywhere.
Then you add source 8.8.8.8 to 'trusted'. Packets from 8.8.8.8 are now handled by trusted, which does allow everything.
All other incoming traffic is still handled by the public.