firewalld is one of the many layers to securing a Linux system. It’s easier to maintain than iptables, especially for users who may not be familiar with iptables as its syntax is much friendlier. It may not be as powerful as iptables, but when used as a firewall, it works incredibly well. If you are coming from Windows, you might know that the system firewall lets you restrict access to ports and services via IP address. The same can be done with firewalld.
Introducing firewalld rich rules
When you want to restrict access to a port or service with firewalld, you will use what is called a rich rule. Let’s look at an example rich rule:
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.100/32 service name=ssh limit value=1/m accept'
This rule means that the source 192.168.1.100 is allowed to connect over SSH with a limit of 1 connection per minute.
Syntax of a rich rule:
rule [family="rule family"] [ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ] [ destination [NOT] address="address" ] [ element ] [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ] [ audit ] [ action ]
How to use rich rules
Rich rules have the following options available:
Each of these will allow you to add, query, remove, and list, respectively.
As with all firewalls, rich rules are processed in a top down manner. This means that if a rich rule denies SSH access and is added first, it will take priority over a rich rule that allows SSH access lower down the list. The first matching rule always wins.
There is also an assumed deny all rule. If no rules are created, all traffic is denied.