Skip to content

Firewalld Rich Rule

To add a so called rich rule to firewalld I did the following.

Check existing rules after a recent upgrade to Fedora 22. 55555/tcp was a custom app not Fedora default.

# firewall-cmd --get-default-zone
FedoraServer

# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: cockpit dhcpv6-client http smtp ssh
  ports: 55555/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Lets remove some rules.

# firewall-cmd --permanent --zone=FedoraServer --remove-port=55555/tcp
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=dhcpv6-client
success

Add custom rule non-permanent.
** Note x.x.x.x is a placeholder for a real public IP. Most likely you won't need a public IP but a non-routable Class C or B on your internal network.

# firewall-cmd --zone=FedoraServer --add-rich-rule="rule family="ipv4" source address="x.x.x.x/32" port protocol="tcp" port="55555" accept"
success

Or if you need it permanently added remember to use --permanent.

Restart the firewall.

# systemctl restart firewalld.service
# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: http smtp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/32" port port="55555" protocol="tcp" accept
Published inFirewallFirewallD