What are Rich Rules or Rules in Firewalld?

About

Rich rule 1) is a line of text that:

  • begins with rule
  • defines a list of options
  • and terminates by an action:
    • accept
    • reject
    • drop
    • mark

If a packet matches the options of the rich rule, the action is taken.

Example

Examples are available on this page: Firewalld - A list of common How-to's

How to

When you add, update or remove a rich rule, the whole rule line should be used as this is the rule identifier.

Add Rich Rule

  • Permanent
firewall-cmd \
   --permanent \
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'
firewall-cmd \
  --zone=home \
  --timeout=30 \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'

List Rich Rule

# permanent rule
firewall-cmd --permanent --list-rich-rule
# temporary rule (deleted at restart) 
firewall-cmd --list-rich-rule
rule family="ipv4" source NOT ipset="nl" service name="ssh" drop

Remove Rich Rule

firewall-cmd --permanent --remove-rich-rule 'rule ....'

Rich Rule Priority

Before priority was available, rich rules execution were sorted and executed on their rule action.

  • The rule priority can be in the range of -32768 to 32767 where lower values have higher precedence.
  • The default priority of a rich rule is 0 (?).
  • A negative priority value will be executed before other firewalld primitives.
  • A positive priority value will be executed after other firewalld primitives.
  • Ordering for rules with the same priority value is undefined.

Format

General

The general rule structure 2):

<rule [family="ipv4|ipv6"] [priority="priority"]>
  [ <source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"/> ]
  [ <destination [not] address="address[/mask]"|ipset="ipset"/> ]
  [
    <service name="string"/> |
    <port port="port value" protocol="tcp|udp|sctp|dccp"/> |
    <protocol value="protocol"/> |
    <icmp-block name="icmptype"/> |
    <masquerade/> |
    <forward-port port="port value" protocol="tcp|udp|sctp|dccp" to-port="port value" to-addr="address"/> |
    <source-port port="portid[-portid]" protocol="tcp|udp"/> |
  ]
  [ 
    <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> |
    <nflog [prefix="prefixtext"] [group="group id"] [queue-size="threshold"]/> [<limit value="rate/duration"/>] </nflog>
  ]
  [ <audit> [<limit value="rate/duration"/>] </audit> ]
  [
    <accept> [<limit value="rate/duration"/>] </accept> |
    <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
    <drop> [<limit value="rate/duration"/>] </drop> |
    <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
  ]
</rule>

where:

  • source is the source
  • accept, reject, drop, mark are targets
  • log is the log
  • forward-port is forward-port
  • service is a service
  • port is a port
  • masquerade is masquerade (IP forwarding will be implicitly enabled) - Turn on masquerading in the rule. A source and also a destination address can be provided to limit masquerading to this area. It is not allowed to specify an action here.

Black or whitelisting format

Example of rule structure for source black or whitelisting:

<rule [family="ipv4|ipv6"]>
  <source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"/>
  [ 
    <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> |
    <nflog [prefix="prefixtext"] [group="group id"] [queue-size="threshold"]/> [<limit value="rate/duration"/>] </nflog>
  ]
  [ <audit> [<limit value="rate/duration"/>] </audit> ]
  <accept> [<limit value="rate/duration"/>] </accept> |
  <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
  <drop> [<limit value="rate/duration"/>] </drop>
</rule>

Reference

The reference can be found in the man page (firewalld.richlanguage) or online for the latest

man firewalld.richlanguage





Discover More
Firewalld

Cheatsheet on the usage of Firewalld
Firewalld - How to filter your traffic based on an IP, port or Region?

This page shows you how to filter your traffic based on a IP with firewalld rich rules. where: --permanent means that the rule will be used even after reboot. --add-rich-rule specifies the rich...
Firewalld - Log

This page is the log information of firewalld Add logging rules right before reject and drop rules in the INPUT, FORWARD, and OUTPUT chains for the default rules and also final reject and drop rules...
Firewalld - Policy

A policy applies a set of rules to traffic flowing between zones. The policy affects traffic in a stateful unidirectional manner, e.g. from: an ingress zone: zoneA to an egress zone: zoneB. ...
Firewalld - Target (Rich Rule Action)

A target is the action taken if the configuration options match a IP packet. It's used: as the last word in a rich rule as the default action in a zone. It's a iptables concept. Name Rejection...
Firewalld - Zone

A zone is a grouping of rule configurations known as zone option. A firewall zone is defined for: a connection, an interface or source address binding (range of source addresses) This is a one-to-many...
How to forward to a port / address (Redirect) with firewalld?

This page shows you how to forward your traffic based on a port with the forward-port rule. In a zone option, you can add directly port forwarding directly without using a rich rule. Other commands...
How to restrict your traffic to a country with Firewalld / Iptable? (ie packet filtering by country)

A step-by-step on how to configure your iptable firewall with firewalld to allow only requests originating from a country



Share this page:
Follow us:
Task Runner