I tried to add the rule in the running firewalld, i.e. without the --
permanent option and I can still connect to the darn thing. I wonder if it
has something to do with the order in which the rules or the tables are
being processed.
firewall-cmd --add-rich-rule="rule family='ipv4' protocol value="tcp"
destination address='a.b.0.0/16' reject"
Also,
nft list ruleset
shows
chain filter_IN_FedoraWorkstation_deny {
ip daddr a.b.0.0/16 meta l4proto tcp reject with icmp
port-unreachable
}
Nothing gets put in iptables (with -L -n).
One thing I noticed, the rule I added on the command line with firewall-
cmd is visible in the GUI (firewall-config). However, if I try to add the
same rule in the GUI, it won't let me, the OK button is grayed out. I
tried different combinations of Family / Priority / Element / Action and
OK is still grayed out, so I can't enter this rule from the GUI.
On Mon, 19 Jun 2023 13:07:11 -0500, Chris Adams wrote:
> Once upon a time, Amadeus WM <amadeus84@xxxxxxxxxxx> said:
>> 2. The command that I tried
>>
>> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' protocol
>> value="tcp" destination address='aa.bb.0.0/16' reject"
>
> One quirk of fireall-cmd is that there are two distinct modes - one that
> operates on the stored configuration (with --permanent) and one that
> operates on the running config (without --permanent). When you make a
> change with --permanent, it is stored, and will take effect on future
> boots, but it is not applied to the current config. You need to run the
> same command without the --permanent to apply to the current running
> config.
>
> Alternately, you can make all your changes to the running config (no
> --permanent), and then store them all at once with firewall-cmd
> --runtime-to-permanent (but if you have something making dynamic
> changes, like fail2ban for example, that would get stored as well). Or
> you can make all your changes to the permanent config and then load them
> to running all at once with firewall-cmd --reload.
>
>> didn't put anything in iptables, i.e. iptables --list shows no rules.
>> On the other hand, I do have this reject rule in /etc/firewalld/zones/
>> FedoraWorkstation.xml.
>
> iptables only exists as a compat layer on top of nftables, and not
> everything in nftables will be reflected in the output of iptables. To
> see the full nftables running config use "nft list ruleset".
>
> If you are going to use firewalld, you need to either _only_ use
> firewalld, or use nft with separate rulesets along side the firewalld
> managed rulesets. Trying to mix in iptables rules is unlikely to work
> how you'd like.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
