os:linux:firewalld:rich-rule

About

Rich rule ¹⁾ is a line of text that:

begins with rule
defines a list of options
and terminates by an action:
- accept
- reject
- drop
- mark

If a packet matches the options of the rich rule, the action is taken.

Example

Examples are available on this page: Firewalld - A list of common How-to's

How to

When you add, update or remove a rich rule, the whole rule line should be used as this is the rule identifier.

Add Rich Rule

Permanent

firewall-cmd \
   --permanent \
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'

Temporary for 30 seconds

firewall-cmd \
  --zone=home \
  --timeout=30 \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'

List Rich Rule

# permanent rule
firewall-cmd --permanent --list-rich-rule
# temporary rule (deleted at restart) 
firewall-cmd --list-rich-rule

rule family="ipv4" source NOT ipset="nl" service name="ssh" drop

Remove Rich Rule

firewall-cmd --permanent --remove-rich-rule 'rule ....'

Rich Rule Priority

Before priority was available, rich rules execution were sorted and executed on their rule action.

The rule priority can be in the range of -32768 to 32767 where lower values have higher precedence.
The default priority of a rich rule is 0 (?).
A negative priority value will be executed before other firewalld primitives.
A positive priority value will be executed after other firewalld primitives.
Ordering for rules with the same priority value is undefined.

Format

General

The general rule structure ²⁾:

<rule [family="ipv4|ipv6"] [priority="priority"]>
  [ <source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"/> ]
  [ <destination [not] address="address[/mask]"|ipset="ipset"/> ]
  [
    <service name="string"/> |
    <port port="port value" protocol="tcp|udp|sctp|dccp"/> |
    <protocol value="protocol"/> |
    <icmp-block name="icmptype"/> |
    <masquerade/> |
    <forward-port port="port value" protocol="tcp|udp|sctp|dccp" to-port="port value" to-addr="address"/> |
    <source-port port="portid[-portid]" protocol="tcp|udp"/> |
  ]
  [ 
    <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> |
    <nflog [prefix="prefixtext"] [group="group id"] [queue-size="threshold"]/> [<limit value="rate/duration"/>] </nflog>
  ]
  [ <audit> [<limit value="rate/duration"/>] </audit> ]
  [
    <accept> [<limit value="rate/duration"/>] </accept> |
    <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
    <drop> [<limit value="rate/duration"/>] </drop> |
    <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
  ]
</rule>

where:

source is the source
accept, reject, drop, mark are targets
log is the log
forward-port is forward-port
service is a service
port is a port
masquerade is masquerade (IP forwarding will be implicitly enabled) - Turn on masquerading in the rule. A source and also a destination address can be provided to limit masquerading to this area. It is not allowed to specify an action here.

Black or whitelisting format

Example of rule structure for source black or whitelisting:

<rule [family="ipv4|ipv6"]>
  <source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"/>
  [ 
    <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> |
    <nflog [prefix="prefixtext"] [group="group id"] [queue-size="threshold"]/> [<limit value="rate/duration"/>] </nflog>
  ]
  [ <audit> [<limit value="rate/duration"/>] </audit> ]
  <accept> [<limit value="rate/duration"/>] </accept> |
  <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
  <drop> [<limit value="rate/duration"/>] </drop>
</rule>