LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2019, 01:34 PM   #1
dc.901
Senior Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 1,005

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
firewalld change via XML file


Hello!
I have CentOS 7.6
Machine has two NICs; one NIC is assigned in public zone and second in trusted zone.
What I am trying to do is:
Code:
# firewall-cmd --permanent --zone=trusted --add-source=192.168.1.10
This works.

However, I am trying to figure out how to do this by XML file; zone config XML files are under: /etc/firewalld/zones, and there is trusted.xml

Code:
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <interface name="ens224"/>
  <sources ip="192.168.1.10"/>
</zone>
With above in XML, I restarted firewalld service. However, output shows:

Code:
# firewall-cmd --zone=trusted --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: ens224
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
Trying to figure out what I am missing?

Last edited by dc.901; 09-13-2019 at 01:35 PM.
 
Old 09-13-2019, 01:50 PM   #2
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,683

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
are you sure the xml is correct?


I grabbed a random manpage
https://www.systutorials.com/docs/li...irewalld.zone/
This is the structure of a zone configuration file:
Code:
    <?xml version="1.0" encoding="utf-8"?>
    <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
      [ <short>short description</short> ]
      [ <description>description</description> ]
      [ <interface name="string"/> ]
      [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
      [ <service name="string"/> ]
      [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
      [ <protcol value="protocol"/> ]
      [ <icmp-block name="string"/> ]
      [ <icmp-block-inversion/> ]
      [ <masquerade/> ]
      [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ]
      [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
      [
        <rule [family="ipv4|ipv6"]>
        [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
        [ <destination address="address[/mask]" [invert="True"]/> ]
        [
          <service name="string"/> |
          <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
          <protocol value="protocol"/> |
          <icmp-block name="icmptype"/> |
          <icmp-type name="icmptype"/> |
          <masquerade/> |
          <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
        ]
        [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]
        [ <audit> [<limit value="rate/duration"/>] </audit> ]
        [
          <accept> [<limit value="rate/duration"/>] </accept> |
          <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
          <drop> [<limit value="rate/duration"/>] </drop> |
          <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
        ]
        </rule>
      ]
    </zone>
 
1 members found this post helpful.
Old 09-13-2019, 03:39 PM   #3
dc.901
Senior Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 1,005

Original Poster
Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Wow; Thank you!!

I had this:

Code:
  <sources ip="192.168.1.10"/>
Changed to this:

Code:
  <source address="192.168.1.10"/>

Now, it works (after --reload)!

Code:
# firewall-cmd --zone=trusted --list-all
trusted (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens224
  sources: 192.168.1.10
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
 
Old 09-13-2019, 03:41 PM   #4
dc.901
Senior Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 1,005

Original Poster
Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
BTW: Here is my XML file (that works):


Code:
# cat trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <interface name="ens224"/>
  <source address="192.168.1.10"/>
</zone>

Last edited by dc.901; 09-13-2019 at 03:45 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
libvirt: post virt-clone, unchanged values in resulting XML file from original XML file CptSupermrkt Linux - Virtualization and Cloud 1 04-14-2016 08:20 AM
yum update error "Error importing repomd.xml for extras: Damaged repomd.xml file" lmoe23 Linux - Newbie 4 03-07-2014 03:00 AM
yum update error"Error importing repomd.xml for extras: Damaged repomd.xml file" lmoe23 Linux - Newbie 1 03-07-2014 01:42 AM
how to add xml-stylesheet tag in a XML File using libxml2 ? peacemission Programming 6 05-26-2012 02:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration