-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2023-04-27 at 14:15 +0200, Carlos E. R. wrote:
On 2023-04-27 13:12, Per Jessen wrote:
Dave Howorth wrote:
Yeah I admit it, it was a slightly poor example :-) Still, the key message remains the same - excluding certain common examples, XML files are not for human processing, accidentally or otherwise. When they are made human-readable with newlines and indentation, it is for debugging purposes.
I'm right now editing the Isengard:/etc/firewalld/zones/external.xml, to reduce the number of rules, and it is right tedious. With commands it would be unthinkable.
Looking at the official documentation:
https://firewalld.org/documentation/zone/examples.html
it is all XML, not commands, so they do intend people to edit them directly.
By the way, looking at that site, I do not see a documentation section on "rules" :-?
https://firewalld.org/documentation/zone/options.html https://firewalld.org/documentation/man-pages/firewalld.richlanguage I got the modified file working with just one error :-) Isengard:/etc/firewalld # firewall-cmd --reload success But: Isengard:/etc/firewalld/zones # firewall-cmd --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: ssh ports: protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: Isengard:/etc/firewalld/zones # it had actually failed. One has to do this: Isengard:/etc/firewalld/zones # firewall-cmd --check-config Error: INVALID_ZONE: 'external.xml': not a valid zone file: not well-formed (invalid token): line 59, column 18 Isengard:/etc/firewalld/zones # mcedit external.xml It did not like this: <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept limit value="3/m" /> </rule> I had to change it to: <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept> <limit value="3/m"/> </accept> </rule> Isengard:/etc/firewalld/zones # firewall-cmd --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: ports: 12854/tcp 53792/tcp 12858/udp 47981/udp 38059/tcp 56517/udp 40399/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable reject-route required-option-missing source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option rich rules: rule family="ipv4" source address="192.168.0.0/16" service name="https" accept rule family="ipv4" source address="192.168.1.128/32" port port="2908" protocol="udp" accept rule family="ipv4" source address="192.168.1.57/32" accept rule family="ipv4" source address="192.168.1.54/32" accept rule family="ipv4" source address="192.168.1.5/32" protocol value="icmp" accept rule family="ipv4" source address="192.168.0.0/16" service name="http" accept rule family="ipv4" source address="192.168.0.0/16" service name="nfs" accept rule family="ipv4" source address="192.168.0.0/16" service name="dns" accept rule family="ipv4" source address="192.168.1.129/32" port port="9090" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="8080" protocol="tcp" accept rule family="ipv4" source address="172.26.0.0/16" protocol value="udp" accept rule family="ipv4" source address="192.168.1.128/32" port port="1252" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="5556" protocol="tcp" accept rule family="ipv4" source address="192.168.1.129/32" port port="4000" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="137-139" protocol="udp" accept rule family="ipv4" source address="192.168.1.14/32" port port="8000" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="514" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="22" protocol="tcp" accept rule family="ipv4" source address="192.168.1.7/32" protocol value="udp" accept rule family="ipv4" source address="192.168.1.14/32" protocol value="icmp" accept rule family="ipv4" source address="192.168.0.0/16" port port="873" protocol="tcp" accept rule family="ipv4" source address="192.168.1.55/32" accept rule family="ipv4" source address="192.168.1.128/32" port port="4754" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="4080" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept limit value="3/m" rule family="ipv4" source address="192.168.1.129/32" port port="5000" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4001" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="25" protocol="tcp" accept rule family="ipv4" source address="192.168.1.1/32" port port="53792" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" service name="mountd" accept rule family="ipv4" source address="192.168.0.0/16" port port="53" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="80" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="5353" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4000" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="137-139" protocol="tcp" accept rule family="ipv4" source address="192.168.1.1/32" protocol value="udp" accept rule family="ipv4" source address="192.168.1.129/32" port port="4001" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="2049" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="6666" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="5558" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="4120" protocol="udp" accept rule family="ipv6" source address="fe80::/64" port port="5353" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="111" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="4243" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4242" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="445" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="162" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" port port="4243" protocol="udp" accept rule family="ipv4" source address="192.168.0.0/16" service name="nfs3" accept rule family="ipv4" source address="192.168.0.0/16" service name="rpc-bind" accept rule family="ipv4" source address="192.168.1.7/32" port port="3553" protocol="udp" accept rule family="ipv4" source address="192.168.1.1/32" protocol value="icmp" accept rule family="ipv4" source address="192.168.1.7/32" port port="515" protocol="tcp" accept rule family="ipv4" source address="192.168.0.0/16" port port="53" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="8081" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="9090" protocol="tcp" accept rule family="ipv4" source address="192.168.1.56/32" accept rule family="ipv4" source address="192.168.0.0/16" port port="111" protocol="tcp" accept rule family="ipv6" source address="fc00::/64" port port="5353" protocol="udp" accept rule family="ipv4" source address="192.168.1.129/32" port port="8081" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="1625" protocol="tcp" accept rule priority="10" source mac="CC:..." reject Isengard:/etc/firewalld/zones # I have not dared to write comments, though. I want to change as many port numbers to services when I can. It is tyring. I had to change the initial block: <service name="ssh"/> <service name="dns"/> <service name="http"/> <service name="https"/> <service name="mountd"/> <service name="nfs"/> <service name="nfs3"/> <service name="rpc-bind"/> <service name="ntp"/> to rules instead, in order to accept them only for IPv4. <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <port port="12854" protocol="tcp"/> <port port="53792" protocol="tcp"/> <port port="12858" protocol="udp"/> <port port="47981" protocol="udp"/> <port port="38059" protocol="tcp"/> <port port="56517" protocol="udp"/> <port port="40399" protocol="tcp"/> I don't understand what the next block is. Do I really need it? <icmp-block name="address-unreachable"/> <icmp-block name="bad-header"/> <icmp-block name="beyond-scope"/> <icmp-block name="communication-prohibited"/> <icmp-block name="destination-unreachable"/> <icmp-block name="echo-reply"/> <icmp-block name="failed-policy"/> <icmp-block name="fragmentation-needed"/> <icmp-block name="host-precedence-violation"/> <icmp-block name="host-prohibited"/> <icmp-block name="host-redirect"/> <icmp-block name="host-unknown"/> <icmp-block name="host-unreachable"/> <icmp-block name="ip-header-bad"/> <icmp-block name="network-prohibited"/> <icmp-block name="network-redirect"/> <icmp-block name="network-unknown"/> <icmp-block name="network-unreachable"/> <icmp-block name="no-route"/> <icmp-block name="packet-too-big"/> <icmp-block name="parameter-problem"/> <icmp-block name="port-unreachable"/> <icmp-block name="precedence-cutoff"/> <icmp-block name="protocol-unreachable"/> <icmp-block name="reject-route"/> <icmp-block name="required-option-missing"/> <icmp-block name="source-route-failed"/> <icmp-block name="time-exceeded"/> <icmp-block name="timestamp-reply"/> <icmp-block name="timestamp-request"/> <icmp-block name="tos-host-redirect"/> <icmp-block name="tos-host-unreachable"/> <icmp-block name="tos-network-redirect"/> <icmp-block name="tos-network-unreachable"/> <icmp-block name="ttl-zero-during-reassembly"/> <icmp-block name="ttl-zero-during-transit"/> <icmp-block name="unknown-header-type"/> <icmp-block name="unknown-option"/> <rule priority="10"> <source mac="CC:..."/> <reject/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept> <limit value="3/m"/> </accept> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="dns"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="http"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="https"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="mountd"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="nfs"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="nfs3"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="rpc-bind"/> <accept/> </rule> <rule family="ipv4"> <source address="172.26.0.0/16"/> <protocol value="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="22" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="53" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="53" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="80" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="111" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="111" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="137-139" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="137-139" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="162" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="445" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="514" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="873" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="2049" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="4080" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="4243" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="4243" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="5353" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="5556" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="5558" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <port port="8080" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.128/32"/> <port port="2908" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.5/32"/> <protocol value="icmp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.7/32"/> <protocol value="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.54/32"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.55/32"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.57/32"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.1/32"/> <protocol value="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.1/32"/> <protocol value="icmp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.1/32"/> <port port="53792" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.7/32"/> <port port="515" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.7/32"/> <port port="3553" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <protocol value="icmp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="25" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="4000" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="4001" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="4242" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="6666" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="8000" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="8081" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.14/32"/> <port port="9090" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.128/32"/> <port port="4120" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.128/32"/> <port port="1252" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.128/32"/> <port port="1625" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.129/32"/> <port port="4000" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.129/32"/> <port port="5000" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.129/32"/> <port port="9090" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.129/32"/> <port port="8081" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.128/32"/> <port port="4754" protocol="udp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.129/32"/> <port port="4001" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.56/32"/> <accept/> </rule> <rule family="ipv6"> <source address="fe80::/64"/> <port port="5353" protocol="udp"/> <accept/> </rule> <rule family="ipv6"> <source address="fc00::/64"/> <port port="5353" protocol="udp"/> <accept/> </rule> <interface name="eth0"/> <interface name="wlan0"/> </zone> And now I have a headache. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEr6Ghwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVeNsAnisz2fc+U2vKXziUbqQs mnA1l2AFAJ4zbtZGvL7JGVytI1MFJ5CBP/vUeg== =14sB -----END PGP SIGNATURE-----