1

Setting up a new zone, with a port that has restricted access to an IP address. How does one apply this to more than one IP?

$ firewall-cmd --new-zone=special
$ firewall-cmd --permanent --zone=special --add-rich-rule='
  rule family="ipv4"
  source address=”123.1.1.1"
  port protocol="tcp" port="10050" accept'

Is source address allowed an array of CSV? Is it defined like this?

source address="123.1.1.1","234.1.1.1"

Community
  • 1
mcv
  • 885
  • 2
  • 9
  • 17
  • The second solution in your linked question seems to be more appropriate for this case. – Gerald Schneider Dec 06 '16 at 13:42
  • I see what you mean, I can just call the single cmd line and it will add it to the existing zone. `firewall-cmd --zone=special --add-source=231.1.1.1` – mcv Dec 06 '16 at 13:48
  • @GeraldSchneider if i define multiple IPs to a zone do I have to set the server to that zone for it to take effect? Or is `firewall-cmd --reload` perfectly acceptable? – mcv Dec 07 '16 at 00:22
  • @GeraldSchneider - I found the answer in the solution that I linked. – mcv Dec 07 '16 at 00:34
  • Unfortunately the accepted answer in the question you linked is... rather wrong. Check the other answer instead. See also the question I've marked as a duplicate, for the thorough explanation. – Michael Hampton Dec 07 '16 at 01:48

1 Answers1

4

You don't need a rich rule for this. It's unnecessary and too complicated for what you want to do.

Just add the source IP addresses and desired ports to the zone directly.

For example:

firewall-cmd --zone=special --add-source=192.0.2.123
firewall-cmd --zone=special --add-source=198.51.100.7
firewall-cmd --zone=special --add-source=203.0.113.81

firewall-cmd --zone=special --add-port=10050/tcp

firewall-cmd --runtime-to-permanent
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • What does the last action `firewall-cmd --runtime-to-permanent` do? This is the second solution in the link. :) I eventually implemented it this way. I did try the first method though and I encountered an issue. Which is why I posted this question, but I was advised to use option 2. Which I did. :) I will accept your response though as the correct one. For it is the correct solution. – mcv Dec 07 '16 at 12:16
  • @mcv It saves the running configuration and makes it permanent... – Michael Hampton Dec 07 '16 at 16:13
  • so i placed the --permanent inside each statement, is that also okay? If I restart the firewall will this configuration load automatically? – mcv Dec 07 '16 at 16:39
  • Did you not see the [other comment](http://serverfault.com/questions/818996/how-to-remove-access-to-a-port-using-firewall-on-centos7#comment1042710_818996) I left on your other question? – Michael Hampton Dec 07 '16 at 16:51
  • Thanks looking at it now. this is all new to me and the documents I have read do not discuss this `--runtime-to-permenant`. – mcv Dec 07 '16 at 17:00