Security / Server Setup

FirewallD and trusted IP addresses

by ,


FirewallD has a very nice concept of zones and it has some predefined ones.

When you need to whitelist a particular IP and label it as “trusted” on the system, then the trusted FirewallD is the thing you will play with.

Another modern thing is ipsets, which FirewallD supports well. The ipsets are useful to efficiently store and lookup many IP addresses.

So combining all the features together, we can whitelist many IP addresses in a clean and efficient way:

First, create 2 ipsets: one for IPv4 and the other for IPv6:

firewall-cmd --permanent --new-ipset=whitelist4 --type=hash:net --option=maxelem=256 --option=family=inet --option=hashsize=4096
firewall-cmd --permanent --new-ipset=whitelist6 --type=hash:net --option=maxelem=256 --option=family=inet6 --option=hashsize=4096

Next, tell FirewallD that clients from those IP addresses belong to trusted zone:

firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist4
firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist6

Whitelist an IP, and apply your changes:

firewall-cmd --ipset=whitelist4 --add-entry=1.2.3.4 --permanent
firewall-cmd --reload

Also published on Medium.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.