From Fedora Project Wiki

(Created page with "= Description = ''Firewalld'' has a so called direct interface, which enables to more directly pass rules to ''iptables/ip6tables/ebtables''. This could be useful if a user d...")
 
(missing priorities in commands)
 
(2 intermediate revisions by one other user not shown)
Line 4: Line 4:
This could be useful if a user doesn't want to use the concept of (pre-)defined services, but wants to directly use ''iptables/ip6tables/ebtables''.
This could be useful if a user doesn't want to use the concept of (pre-)defined services, but wants to directly use ''iptables/ip6tables/ebtables''.
''Firewalld'' still tracks what's been added, so it's possible to query firewalld.
''Firewalld'' still tracks what's been added, so it's possible to query firewalld.
See also ''Direct Option'' in ''firewall-cmd(1)'' man page.


= How to test =
= How to test =
Line 17: Line 15:
Query if that rule exists
Query if that rule exists


   firewall-cmd --direct --query-rule ipv4 filter IN_ZONE_public_allow -m tcp -p tcp --dport 666 -j ACCEPT; echo $?
   firewall-cmd --direct --query-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT; echo $?


expected result: 0
expected result: 0
Line 30: Line 28:


   firewall-cmd --direct --remove-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT
   firewall-cmd --direct --remove-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Direct_options http://fedoraproject.org/wiki/FirewallD]

Latest revision as of 14:04, 18 July 2014

Description

Firewalld has a so called direct interface, which enables to more directly pass rules to iptables/ip6tables/ebtables. This could be useful if a user doesn't want to use the concept of (pre-)defined services, but wants to directly use iptables/ip6tables/ebtables. Firewalld still tracks what's been added, so it's possible to query firewalld.

How to test

example:

Adding a custom rule to IN_ZONE_public_allow chain

 firewall-cmd --direct --add-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT

Query if that rule exists

 firewall-cmd --direct --query-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT; echo $?

expected result: 0

Get rules

 firewall-cmd --direct --get-rules ipv4 filter IN_ZONE_public_allow

expected result: -m tcp -p tcp --dport 666 -j ACCEPT

Remove the rule

 firewall-cmd --direct --remove-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT


For more examples see also http://fedoraproject.org/wiki/FirewallD