[ale] Firewalld rich rule sanity check

Alex Carver agcarver+ale at acarver.net
Wed Dec 4 02:02:07 EST 2019 

You can also ditch firewalld and use iptables/nftables which does allow
ranges of arbitrary length.

iptables allows CIDR notation in the source or desitnation:
iptables -A INPUT -i eth0 -p tcp -s w.x.y.0/z -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m iprange --src-range w.x.y.a-w.x.y.b
-j ACCEPT

nftables allows ranges as part of intervals:
nft add rule filter input ip daddr 192.168.0.1-192.168.0.250 drop

http://wiki.nftables.org/wiki-nftables/index.php/Intervals


On 2019-12-03 13:47, Lightner, Jeffrey via Ale wrote:
> In your first question you seemed to indicate you just wanted to avoid the first and last IP of a subnet range so as not to include the broadcast.   I don't see the need to do that.
> 
> You now seem to be saying the range you want something other than one where you just want to exclude the first and last of the subnet range.
> 
> If so, it appears you'll have to do the script for the individual IPs because the man page makes it clear you can't really do subsets of a network as your range:
> 
> "A source address or address range is either 
> an IP address 
> or a network IP address with a mask for IPv4 or IPv6
> or a MAC address or an ipset with the ipset: prefix. 
> For IPv4, the mask can be a network mask or a   plain number."
> 
> You might be able to make your script smaller by using multiple subnets with masks to cover the bulk of the range which is smaller than the overall range then add individual IPs (e.g. multiple /26 subnets based on start/end of ranges within a broader /24).
> 
> -----Original Message-----
> From: Ale <ale-bounces at ale.org> On Behalf Of Beddingfield, Allen via Ale
> Sent: Tuesday, December 03, 2019 2:05 PM
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] Firewalld rich rule sanity check
> 
> Yeah, it seems to be a major lacking feature that you can't just specify a range.
> The problem is that it won't be 15.  It will be a few hundred.  I've got a page of ranges like that to allow.  Sure it will work, but it seems like there should be a cleaner way (start ip:end ip) Allen B.
> 
> --
> Allen Beddingfield
> Systems Engineer
> Office of Information Technology
> The University of Alabama
> Office 205-348-2251
> allen at ua.edu
> 
> 
> ________________________________________
> From: Jim Kinney <jim.kinney at gmail.com>
> Sent: Tuesday, December 3, 2019 1:01 PM
> To: Beddingfield, Allen; Atlanta Linux Enthusiasts
> Subject: Re: [ale] Firewalld rich rule sanity check
> 
> Looks like time for a quick script to generate 15 rules.
> 
> You can also use a larger block after a hard exclusion as a filter. Or use the small subnet and add the missing ones.
> 
> Either way, I would add the singles first (toward the top of the chain) and the group at the bottom.
> 
> On Tue, 2019-12-03 at 18:53 +0000, Beddingfield, Allen via Ale wrote:
> 
> Thanks.  I"m familiar with the syntax.  My specific question is around allowing a specified range of IP addresses that is not an exact subnet.
> 
> 
> So:
> 
> In 192.168.0.0/24, I want to ONLY allow 192.168.0.80 through 192.168.0.95
> 
> That range does not exactly match a subnet that can be defined.  The closest is:
> 
> 192.168.0.80/28.  The starting IP of that would be 192.168.0.81, and the ending would be 192.168.0.94.  The network IP is 192.168.0.80, and the broadcast address is 192.168.0.95.
> 
> 
> What is the best way to specify this?
> 
>>From what I can tell, firewalld doesn't allow for specifying an 
>> arbitrary range of ip addresses as source.  It can be a single IP or a 
>> network specified this way: 192.168.0.0/24
> 
> 
> The two ideas I had are:
> 
> 
> This:
> 
> (In this example, will it be a problem that I'm specifying a separate rule for what is already defined to be a broadcast and network ip?)
> 
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent
> 
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent
> 
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent
> 
> 
> Or This:
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent
> 
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.81 port port=80 protocol=tcp accept' --permanent
> 
> 
> etc...etc... through
> 
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent
> 
> 
> Allen B.
> 
> --
> 
> Allen Beddingfield
> 
> Systems Engineer
> 
> Office of Information Technology
> 
> The University of Alabama
> 
> Office 205-348-2251
> 
> <mailto:allen at ua.edu>
> 
> allen at ua.edu
> 
> 
> 
> 
> ________________________________________
> 
> From: Lightner, Jeffrey <
> 
> <mailto:JLightner at dsservices.com>
> 
> JLightner at dsservices.com
> 
>>
> 
> Sent: Tuesday, December 3, 2019 11:51 AM
> 
> To: Beddingfield, Allen; Atlanta Linux Enthusiasts
> 
> Subject: RE: Firewalld rich rule sanity check
> 
> 
> When I've added an IP range I've done it like:
> 
> firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source  address="192.168.0.80/28" port port="80" protocol="tcp" accept' --permanent
> 
> 
> Where public was the firewalld default active zone.   You can define different zones for different NCIs so you may want to check the zone(s) assigned to your NIC(s) as it is important.   A key thing to know is you don't tell firewalld which NIC is in which zone - instead, you define the zone within the NIC's config.   (At least for RedHat derived OSes such as RHEL, Fedora and CentOS)
> 
> 
> -----Original Message-----
> 
> From: Ale <
> 
> <mailto:ale-bounces at ale.org>
> 
> ale-bounces at ale.org
> 
>> On Behalf Of Beddingfield, Allen via Ale
> 
> Sent: Tuesday, December 03, 2019 12:03 PM
> 
> To: Atlanta Linux Enthusiasts <
> 
> <mailto:ale at ale.org>
> 
> ale at ale.org
> 
>>
> 
> Subject: [ale] Firewalld rich rule sanity check
> 
> 
> I'm wondering about syntax for firewalld rich rules.
> 
> For example, if I want to allow 192.168.0.80 through 192.168.0.95
> 
> .81-.94 would be the start and end addresses of 192.168.0.80/28
> 
> 
> Could I do:
> 
> firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.80/28 port port=80 protocol=tcp accept' --permanent firewall-cmd --add-rich-rule='rule family ipv4 source address=192.168.0.95 port port=80 protocol=tcp accept' --permanent
> 
> 
> Or, would it be an issue that I am explicitly defining a rule for what would be the network and broadcast address of a subnet I've defined in another rule?
> 
> Am I going to have to do one rich rule per-ip?
> 
> 
> Ideally, I would like to be able to just specify a range of IP addresses, the way I used to be able to do pre-firewalld, but I can't find a way to do that (192.168.0.80:192.168.0.95).
> 
> 
> One rule per ip wouldn't be that big of a deal for the example above, but I have a situation where a vendor has provided a huge list of ip ranges to whitelist that don't cleanly fall along subnet boundaries.  Some are close, but none are exact.
> 
> 
> Thanks.
> 
> Allen B.
> 
> --
> 
> Allen Beddingfield
> 
> Systems Engineer
> 
> Office of Information Technology
> 
> The University of Alabama
> 
> Office 205-348-2251
> 
> <mailto:allen at ua.edu>
> 
> allen at ua.edu
> 
> 
> _______________________________________________
> 
> Ale mailing list
> 
> <mailto:Ale at ale.org>
> 
> Ale at ale.org
> 
> 
> <https://mail.ale.org/mailman/listinfo/ale>
> 
> https://mail.ale.org/mailman/listinfo/ale
> 
> 
> See JOBS, ANNOUNCE and SCHOOLS lists at
> 
> <http://mail.ale.org/mailman/listinfo>
> 
> http://mail.ale.org/mailman/listinfo
> 
> 
> _______________________________________________
> 
> Ale mailing list
> 
> <mailto:Ale at ale.org>
> 
> Ale at ale.org
> 
> 
> <https://mail.ale.org/mailman/listinfo/ale>
> 
> https://mail.ale.org/mailman/listinfo/ale
> 
> 
> See JOBS, ANNOUNCE and SCHOOLS lists at
> 
> <http://mail.ale.org/mailman/listinfo>
> 
> http://mail.ale.org/mailman/listinfo
> 
> 
> --
> 
> James P. Kinney III Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog. - Speech 11/23/1900 Mark Twain http://heretothereideas.blogspot.com/
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list