more nifty things to do with firewalld

How about blocking traffic based on country of origin?

Let’s say you notice a lot of dictionary attacks against your host from a certain country, and you decide that you want to completely block that country from accessing anything on your server.

All you need is the xtables addon for iptables (yes, iptables, this means it might not work on RHEL 8.x), and the GeoIP data for the geoip xtables module, and then you can insert direct rules like this:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m geoip --src-cc XXX -j DROP # replace XXX with a country code, uppercase
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -m geoip --src-cc XXX -j DROP # replace XXX with a country code, uppercase

or how about some rate limiting?

Let’s say I want to allow ssh but not more than 5 new connections per minute.

firewall-cmd --add-rich-rule='rule service name="ssh" accept limit value="5/min"'

Let’s say I want to log connections to ssh, but not more than 3 messages per minute:

firewall-cmd --add-rich-rule='rule service name="ssh" log limit value="3/m"'

rolling it both into one:

firewall-cmd --add-rich-rule='rule service name="ssh" log limit value="3/m" accept limit value="5/m"'

This one means: allow ssh with not more than 5 new connections per minute and log it but not more than three messages per minute.

Finally, lets assume the firewall is running on a machine that also acts as our default gateway. It’s masquerading traffic from the internal to the external zone by default.

Let’s install squid here and configure it to be a transparent proxy on port 8080, I’m not going to explain how to set that up here, I’m just taking it for granted…

firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=8080

Or if the proxy is not on the gateway:

firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.3.99  ## IP Address of proxy goes there