(Created page with "= Description = ''Firewalld'' has a so called direct interface, which enables to more directly pass rules to ''iptables/ip6tables/ebtables''. This could be useful if a user d...") |
(missing priorities in commands) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 4: | Line 4: | ||
This could be useful if a user doesn't want to use the concept of (pre-)defined services, but wants to directly use ''iptables/ip6tables/ebtables''. | This could be useful if a user doesn't want to use the concept of (pre-)defined services, but wants to directly use ''iptables/ip6tables/ebtables''. | ||
''Firewalld'' still tracks what's been added, so it's possible to query firewalld. | ''Firewalld'' still tracks what's been added, so it's possible to query firewalld. | ||
= How to test = | = How to test = | ||
Line 17: | Line 15: | ||
Query if that rule exists | Query if that rule exists | ||
firewall-cmd --direct --query-rule ipv4 filter IN_ZONE_public_allow -m tcp -p tcp --dport 666 -j ACCEPT; echo $? | firewall-cmd --direct --query-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT; echo $? | ||
expected result: 0 | expected result: 0 | ||
Line 30: | Line 28: | ||
firewall-cmd --direct --remove-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT | firewall-cmd --direct --remove-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT | ||
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Direct_options http://fedoraproject.org/wiki/FirewallD] |
Latest revision as of 14:04, 18 July 2014
Description
Firewalld has a so called direct interface, which enables to more directly pass rules to iptables/ip6tables/ebtables. This could be useful if a user doesn't want to use the concept of (pre-)defined services, but wants to directly use iptables/ip6tables/ebtables. Firewalld still tracks what's been added, so it's possible to query firewalld.
How to test
example:
Adding a custom rule to IN_ZONE_public_allow chain
firewall-cmd --direct --add-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT
Query if that rule exists
firewall-cmd --direct --query-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT; echo $?
expected result: 0
Get rules
firewall-cmd --direct --get-rules ipv4 filter IN_ZONE_public_allow
expected result: -m tcp -p tcp --dport 666 -j ACCEPT
Remove the rule
firewall-cmd --direct --remove-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT
For more examples see also http://fedoraproject.org/wiki/FirewallD