yumupgrades for production use, this is the repository for you.
Active subscription is required.
FirewallD has a very nice concept of zones and it has some predefined ones.
When you need to whitelist a particular IP and label it as “trusted” on the system, then the trusted FirewallD is the thing you will play with.
Another modern thing is ipsets, which FirewallD supports well. The ipsets are useful to efficiently store and lookup many IP addresses.
So combining all the features together, we can whitelist many IP addresses in a clean and efficient way:
First, create 2 ipsets: one for IPv4 and the other for IPv6:
firewall-cmd --permanent --new-ipset=whitelist4 --type=hash:net --option=maxelem=256 --option=family=inet --option=hashsize=4096 firewall-cmd --permanent --new-ipset=whitelist6 --type=hash:net --option=maxelem=256 --option=family=inet6 --option=hashsize=4096
Next, tell FirewallD that clients from those IP addresses belong to trusted zone:
firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist4 firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist6
Whitelist an IP, and apply your changes:
firewall-cmd --ipset=whitelist4 --add-entry=184.108.40.206 --permanent firewall-cmd --reload
Priority of trusted vs drop zones
Suppose that you are in a situation where you want to block an entire network, but whitelist a single IP address from it.
This may happen in a situation, e.g. when a server administrator works with an E-Commerce website that has malicious visitors from his own country.
In this case, you have two source zones: one for whitelisting and the other for the block.
It is important to understand that FirewallD matches zones in alphabetical order.
So if you put the admin’s whitelisted IP to the
trusted zone, and place admin’s Internet provider network to the
block zone – the admin will still be unable to access.
Because FirewallD will first match the
block zone when he connects, simply because both
block comes before
So you may want to create an additional trusted zone that follows the same behavior: accept connections from it.
firewall-cmd --permanent --new-zone=000-trusted firewall-cmd --set-target=ACCEPT --zone=000-trusted --permanent firewall-cmd --reload firewall-cmd --zone=000-trusted --list-all
Now you can add IP addresses/sets to this zone and their connections will be accepted *even if they fall within networks blocked in the
E.g. let’s say you want to network block Amazon’s network range
firewall-cmd --permanent --ipset=networkblock --add-entry=220.127.116.11/11
But you still want individual IP addresses allowed, e.g. Nextopia search (listing of
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
As you can see, quite a bunch of those IP addresses is from the blocked network. So we can create an IP set, and add it as a source to the
# Creating "nextopia" IP set: firewall-cmd --permanent --new-ipset=nextopia --type=hash:ip --option=maxelem=100 --option=family=inet --option=hashsize=4096 # Populating the IP set with addresses: firewall-cmd --permanent --ipset=nextopia --add-entries-from-file=/tmp/nextopia.txt # Adding the IP set to 000-trusted zone firewall-cmd --permanent --zone=000-trusted --add-source=ipset:nextopia # Applying configuration at runtime: firewall-cmd --reload
Making use of both
trusted zones around at the same time is a valid use case: e.g. imagine you also trust an entire network but want to block selected IP from it.
In that case, you will use
P.S. you can also create
000-trusted using XML configuration files:
cp /usr/lib/firewalld/zones/trusted.xml /etc/firewalld/zones/000-trusted.xml
Then ensure contents like this:
<?xml version="1.0" encoding="utf-8"?> <zone target="ACCEPT"> <short>Trusted Priority</short> <description>All network connections are accepted, priority over block zone.</description> </zone>
Apply addition of the new zone with: