yumupgrades for production use, this is the repository for you.
Active subscription is required.
FirewallD has a very nice concept of zones and it has some predefined ones.
When you need to whitelist a particular IP and label it as “trusted” on the system, then the trusted FirewallD is the thing you will play with.
Another modern thing is ipsets, which FirewallD supports well. The ipsets are useful to efficiently store and lookup many IP addresses.
So combining all the features together, we can whitelist many IP addresses in a clean and efficient way:
First, create 2 ipsets: one for IPv4 and the other for IPv6:
firewall-cmd --permanent --new-ipset=whitelist4 --type=hash:net --option=maxelem=256 --option=family=inet --option=hashsize=4096 firewall-cmd --permanent --new-ipset=whitelist6 --type=hash:net --option=maxelem=256 --option=family=inet6 --option=hashsize=4096
Next, tell FirewallD that clients from those IP addresses belong to trusted zone:
firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist4 firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist6
Whitelist an IP, and apply your changes:
firewall-cmd --ipset=whitelist4 --add-entry=22.214.171.124 --permanent firewall-cmd --reload
Priority of trusted vs drop zones
Suppose that you are in a situation where you want to block an entire network, but whitelist a single IP address from it.
This may happen in a situation, e.g. when a server administrator works with an E-Commerce website that has malicious visitors from his own country.
In this case, you have two source zones: one for whitelisting and the other for the block.
It is important to understand that FirewallD matches zones in alphabetical order.
So if you put the admin’s whitelisted IP to the
trusted zone, and place admin’s Internet provider network to the
block zone – the admin will still be unable to access.
Because FirewallD will first match the
block zone when he connects, simply because both
block comes before
So you may want to create an additional trusted zone that follows the same behavior: accept connections from it.
firewall-cmd --permanent --new-zone=000-trusted firewall-cmd --set-target=ACCEPT --zone=000-trusted --permanent firewall-cmd --reload firewall-cmd --zone=000-trusted --list-all
Now you can add IP addresses/sets to this zone and their connections will be accepted *even if they fall within networks blocked in the
E.g. let’s say you want to network block Amazon’s network range
firewall-cmd --permanent --ipset=networkblock --add-entry=126.96.36.199/11
But you still want individual IP addresses allowed, e.g. Nextopia search (listing of
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
As you can see, quite a bunch of those IP addresses is from the blocked network. So we can create an IP set, and add it as a source to the
# Creating "nextopia" IP set: firewall-cmd --permanent --new-ipset=nextopia --type=hash:ip --option=maxelem=100 --option=family=inet --option=hashsize=4096 # Populating the IP set with addresses: firewall-cmd --permanent --ipset=nextopia --add-entries-from-file=/tmp/nextopia.txt # Adding the IP set to 000-trusted zone firewall-cmd --permanent --zone=000-trusted --add-source=ipset:nextopia # Applying configuration at runtime: firewall-cmd --reload
Making use of both
trusted zones around at the same time is a valid use case: e.g. imagine you also trust an entire network but want to block selected IP from it.
In that case, you will use
P.S. you can also create
000-trusted using XML configuration files:
cp /usr/lib/firewalld/zones/trusted.xml /etc/firewalld/zones/000-trusted.xml
Then ensure contents like this:
<?xml version="1.0" encoding="utf-8"?> <zone target="ACCEPT"> <short>Trusted Priority</short> <description>All network connections are accepted, priority over block zone.</description> </zone>
Apply addition of the new zone with:
Managing IP sets
It is a good practice to maintain an IP set if it is subject to change.
Simply editing a text file isn’t the right thing to do here.
It is best to have each IP set available via packages. This makes whitelisting and updates consistent.
We have some IP sets available via the RPM repository.
Example. Whitelisting Braintree payment gateway
sudo yum -y install firewalld-ipset-braintree
Now, FirewallD knows about the new IP set named
braintree. It will appear in the list of known IP sets provided by
firewall-cmd --get-ipsets output.
All we have to do is add it up as desired, onto the whitelist.
# Adding the IP set to 000-trusted zone firewall-cmd --permanent --zone=000-trusted --add-source=ipset:braintree # Applying configuration at runtime: firewall-cmd --reload
Ensure that the package is automatically updated in order to always whitelist the gateway’s IPs and networks.