About
Rich rule 1) is a line of text that:
- begins with rule
- defines a list of options
- and terminates by an action:
- accept
- reject
- drop
- mark
If a packet matches the options of the rich rule, the action is taken.
Example
Examples are available on this page: Firewalld - Howto's
How to
When you add, update or remove a rich rule, the whole rule line should be used as this is the rule identifier.
Add Rich Rule
- Permanent
firewall-cmd \
--permanent \
--zone=home \
--add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'
- Temporary for 30 seconds
firewall-cmd \
--zone=home \
--timeout=30 \
--add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'
List Rich Rule
# permanent rule
firewall-cmd --permanent --list-rich-rule
# temporary rule (deleted at restart)
firewall-cmd --list-rich-rule
rule family="ipv4" source NOT ipset="nl" service name="ssh" drop
Remove Rich Rule
firewall-cmd --permanent --remove-rich-rule 'rule ....'
Rich Rule Priority
Before priority was available, rich rules execution were sorted and executed on their rule action.
- The rule priority can be in the range of -32768 to 32767 where lower values have higher precedence.
- The default priority of a rich rule is 0 (?).
- A negative priority value will be executed before other firewalld primitives.
- A positive priority value will be executed after other firewalld primitives.
- Ordering for rules with the same priority value is undefined.
Format
General
The general rule structure 2):
<rule [family="ipv4|ipv6"] [priority="priority"]>
[ <source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"/> ]
[ <destination [not] address="address[/mask]"|ipset="ipset"/> ]
[
<service name="string"/> |
<port port="port value" protocol="tcp|udp|sctp|dccp"/> |
<protocol value="protocol"/> |
<icmp-block name="icmptype"/> |
<masquerade/> |
<forward-port port="port value" protocol="tcp|udp|sctp|dccp" to-port="port value" to-addr="address"/> |
<source-port port="portid[-portid]" protocol="tcp|udp"/> |
]
[
<log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> |
<nflog [prefix="prefixtext"] [group="group id"] [queue-size="threshold"]/> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
[
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop> |
<mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
]
</rule>
where:
- source is the source
- accept, reject, drop, mark are targets
- log is the log
- forward-port is forward-port
- service is a service
- port is a port
- masquerade is masquerade (IP forwarding will be implicitly enabled) - Turn on masquerading in the rule. A source and also a destination address can be provided to limit masquerading to this area. It is not allowed to specify an action here.
Black or whitelisting format
Example of rule structure for source black or whitelisting:
<rule [family="ipv4|ipv6"]>
<source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"/>
[
<log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> |
<nflog [prefix="prefixtext"] [group="group id"] [queue-size="threshold"]/> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop>
</rule>
Reference
The reference can be found in the man page (firewalld.richlanguage) or online for the latest
man firewalld.richlanguage