4

I want to create a rule using firewalld that uses criteria username or userID and maybe one other module criteria.

In iptables, I think you can do things like

iptables -A OUTPUT -m owner --uid-owner <UID> -j ACCEPT

(and you can add other -m modules or -p protocols to the same command)

But I read firewall-cmd manpage and I cannot find how to make same kind of rule. Even "rich rules" don't seem to have this support. Do I have to use the "direct" feature? I can't quite understand its syntax. Especially it worries me that these returns nothing!

firewall-cmd --direct --get-chains ipv4 filter
firewall-cmd --direct --get-rules ipv4 filter OUTPUT
firewall-cmd --direct --get-rules ipv4 filter INPUT

Of course iptables -L shows I have those tables, chains and rules in them.

So how do I add a permanent rule with owner and maybe one more criteria using firewalld?

user109322
  • 1,301
  • 12
  • 15

1 Answers1

6

You don't need to add or even have custom direct chains (though you can if you want to get really complicated. Just add to your existing chains directly.

After IP version, table, chain and priority, you simply specify the relevant iptables options:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
        -m owner --uid-owner $UID -j ACCEPT

Underneath, at iptables, this will actually be added to a firewalld-managed chain named OUTPUT_direct, which is called from the OUTPUT chain.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I don't want to add special chains or tables. Note that the commands I listed are just trying to query the default tables and chains but they don't show *anything at all*. Why doesn't it list, e.g. the INPUT chain for the filter table? I'm concerned adding to tables and chains that it thinks don't exist will screw things up!! – user109322 Jul 22 '15 at 23:29
  • 1
    Those are default chains and are never listed by those commands if they're empty. I know the above will work because I pulled it off one of my production systems. :) – Michael Hampton Jul 22 '15 at 23:30
  • REALLY? That's nuts! :) So if I add a rule like this to a default chain, I won't be able to query it back? Does that mean I won't be able to delete it? Frankly, this incomplete and screwy layer on top of iptables seems misleading and just as complicated as learning iptables in the first place. I will try your suggestion shortly. Thank you very much. – user109322 Jul 22 '15 at 23:34
  • 2
    Yes it's screwy. Firewalld still needs some work. But it's mostly usable. For the most part, if I have to add direct rules, I edit the XML directly. But you should see rules with `--get-rules` after you add them. – Michael Hampton Jul 22 '15 at 23:35
  • Oh that's a good tip. XML sounds like a less frustrating experience. – user109322 Jul 22 '15 at 23:37
  • There's no documentation what the priority argument is. Is that same as the rule number in iptables (optional to iptables, apparently required by firewalld)? – user109322 Jul 22 '15 at 23:56
  • No, it's a priority, and it is documented in the firewalld.direct man page. – Michael Hampton Jul 22 '15 at 23:58
  • Your suggestion worked and the rule is listed when using `--get-rules` but how in the world do you delete?!? `firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0` Simply returns with command usage info as if the args are wrong. What does it want, the whole rule again? – user109322 Jul 23 '15 at 00:09
  • You write the entire rule again. – Michael Hampton Jul 23 '15 at 00:16
  • Yep, the whole exact rule must be repeated in order to delete. For example `firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -m owner --uid-owner $UID -j ACCEPT` – user109322 Jul 23 '15 at 00:17