LinuxQuestions.org - [SOLVED] firewalld change via XML file

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - firewalld change via XML file (https://www.linuxquestions.org/questions/linux-security-4/firewalld-change-via-xml-file-4175660866/)

firewalld change via XML file

Hello!
I have CentOS 7.6
Machine has two NICs; one NIC is assigned in public zone and second in trusted zone.
What I am trying to do is:

Code:

# firewall-cmd --permanent --zone=trusted --add-source=192.168.1.10

This works.

However, I am trying to figure out how to do this by XML file; zone config XML files are under: /etc/firewalld/zones, and there is trusted.xml

Code:

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Trusted</short>

  <description>All network connections are accepted.</description>

  <interface name="ens224"/>

  <sources ip="192.168.1.10"/>

</zone>

With above in XML, I restarted firewalld service. However, output shows:

Code:

# firewall-cmd --zone=trusted --list-all

trusted (active)

  target: ACCEPT

  icmp-block-inversion: no

  interfaces: ens224

  sources: 

  services: 

  ports: 

  protocols: 

  masquerade: no

  forward-ports: 

  source-ports: 

  icmp-blocks: 

  rich rules:

Trying to figure out what I am missing?

are you sure the xml is correct?

I grabbed a random manpage
https://www.systutorials.com/docs/li...irewalld.zone/
This is the structure of a zone configuration file:

Code:

    <?xml version="1.0" encoding="utf-8"?>

    <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>

      [ <short>short description</short> ]

      [ <description>description</description> ]

      [ <interface name="string"/> ]

      [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]

      [ <service name="string"/> ]

      [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]

      [ <protcol value="protocol"/> ]

      [ <icmp-block name="string"/> ]

      [ <icmp-block-inversion/> ]

      [ <masquerade/> ]

      [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ]

      [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]

      [

        <rule [family="ipv4|ipv6"]>

        [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]

        [ <destination address="address[/mask]" [invert="True"]/> ]

        [

          <service name="string"/> |

          <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |

          <protocol value="protocol"/> |

          <icmp-block name="icmptype"/> |

          <icmp-type name="icmptype"/> |

          <masquerade/> |

          <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>

        ]

        [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]

        [ <audit> [<limit value="rate/duration"/>] </audit> ]

        [

          <accept> [<limit value="rate/duration"/>] </accept> |

          <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |

          <drop> [<limit value="rate/duration"/>] </drop> |

          <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>

        ]

        </rule>

      ]

    </zone>

Wow; Thank you!!

I had this:

Code:

<sources ip="192.168.1.10"/>

Changed to this:

Code:

<source address="192.168.1.10"/>

Now, it works (after --reload)!

Code:

# firewall-cmd --zone=trusted --list-all

trusted (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens224

  sources: 192.168.1.10

  services: 

  ports: 

  protocols: 

  masquerade: no

  forward-ports: 

  source-ports: 

  icmp-blocks: 

  rich rules:

BTW: Here is my XML file (that works):

Code:

# cat trusted.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Trusted</short>

  <description>All network connections are accepted.</description>

  <interface name="ens224"/>

  <source address="192.168.1.10"/>

</zone>