1 00:00:06,690 --> 00:00:08,730 - So, when firewall D was first introduced, 2 00:00:08,730 --> 00:00:10,781 people complained that it wasn't offering 3 00:00:10,781 --> 00:00:13,740 enough advanced features. 4 00:00:13,740 --> 00:00:17,700 And that is why some solutions were proposed. 5 00:00:17,700 --> 00:00:18,990 There is direct rules, 6 00:00:18,990 --> 00:00:22,028 Direct rules allow admins to insert hand-coded rules. 7 00:00:22,028 --> 00:00:25,226 And direct rules are processed before anything in the zones, 8 00:00:25,226 --> 00:00:27,692 but it's not really recommended to use them. 9 00:00:27,692 --> 00:00:31,080 The recommended interface is the rich rule. 10 00:00:31,080 --> 00:00:33,540 Rich rules use an expressive language 11 00:00:33,540 --> 00:00:34,980 to create custom rules 12 00:00:34,980 --> 00:00:37,980 that cannot be created with basic syntax. 13 00:00:37,980 --> 00:00:39,810 And you need it if you want to do 14 00:00:39,810 --> 00:00:41,253 logging, or port forwards, 15 00:00:41,253 --> 00:00:44,201 or masquerading, or rate limiting, 16 00:00:44,201 --> 00:00:47,070 and if you want to get more information, 17 00:00:47,070 --> 00:00:48,900 including some examples, 18 00:00:48,900 --> 00:00:50,520 you should consult the man page, 19 00:00:50,520 --> 00:00:53,607 firewalld.richlanguage. 20 00:00:53,607 --> 00:00:54,630 It's a man page that contains 21 00:00:54,630 --> 00:00:56,283 some pretty nice examples. 22 00:00:58,560 --> 00:01:00,412 In order to compose rich rules, 23 00:01:00,412 --> 00:01:01,565 you should use 24 00:01:01,565 --> 00:01:06,090 firewall-cmd--add-rich-rule='' 25 00:01:06,090 --> 00:01:08,670 and then between single quotes, the rules. 26 00:01:08,670 --> 00:01:10,260 And if you read the man page 27 00:01:10,260 --> 00:01:11,970 for firewalld.richlanguage, 28 00:01:11,970 --> 00:01:15,930 you will see some rule examples. 29 00:01:15,930 --> 00:01:17,013 Let me demonstrate. 30 00:01:20,520 --> 00:01:22,639 So to start with I would like to show you 31 00:01:22,639 --> 00:01:24,633 firewalld.richlanguage. 32 00:01:30,120 --> 00:01:32,490 This is the rich language documentation. 33 00:01:32,490 --> 00:01:34,318 In this rich language documentation, 34 00:01:34,318 --> 00:01:37,113 you find these examples. 35 00:01:38,232 --> 00:01:41,790 Now what is confusing about these examples is 36 00:01:41,790 --> 00:01:43,590 that you just have the rule itself. 37 00:01:43,590 --> 00:01:46,230 So in front of it you need to use 38 00:01:46,230 --> 00:01:49,650 firewall-cmd --add-rich-rule= 39 00:01:49,650 --> 00:01:53,250 And then between single quotes, this entire rule 40 00:01:53,250 --> 00:01:57,046 I would advise, go have a look, get inspired 41 00:01:57,046 --> 00:02:00,330 because it's pretty nicely explaining how to 42 00:02:00,330 --> 00:02:01,563 use each of these rules. 43 00:02:03,000 --> 00:02:04,620 Now let's have a look at the 44 00:02:04,620 --> 00:02:09,620 the demo that I prepared to firewall-cmd --permanent -- 45 00:02:10,284 --> 00:02:15,284 zone=public --add-rich-rule='rule family=ipv4 46 00:02:27,450 --> 00:02:31,743 source address=192.168.29.220 reject' 47 00:02:40,140 --> 00:02:42,153 And here you can see success. 48 00:02:43,080 --> 00:02:45,690 Next, let's also add another rule. 49 00:02:45,690 --> 00:02:46,830 We can keep the beginning. 50 00:02:46,830 --> 00:02:51,830 So add-rich-rule=' and this time rule service name=htp 51 00:02:54,300 --> 00:02:58,950 log limit value is three per minutes. 52 00:02:58,950 --> 00:03:03,950 - And accept. Small typo. So what is this doing? 53 00:03:04,650 --> 00:03:09,650 Well, this is going to log HTP packets with a maximum 54 00:03:10,500 --> 00:03:13,880 of three per minute so that your log is not getting flooded. 55 00:03:13,880 --> 00:03:18,880 And another one is where we can use a rule 56 00:03:19,560 --> 00:03:22,957 protocol value is igmp 57 00:03:25,371 --> 00:03:30,030 accept igmp is one of these routing protocols. 58 00:03:30,030 --> 00:03:33,420 And here, if you want to to know what exactly 59 00:03:33,420 --> 00:03:37,263 the protocol is about, then have a look at etc protocols. 60 00:03:38,160 --> 00:03:42,097 So etc protocols is defining the different 61 00:03:43,710 --> 00:03:45,690 protocols that are available. 62 00:03:45,690 --> 00:03:48,450 So all of these protocols can be used. 63 00:03:48,450 --> 00:03:51,407 Now one more, and that is a rule. 64 00:03:55,650 --> 00:04:00,650 Family is ipv4. Source address= 10.0.0.0/24. 65 00:04:10,290 --> 00:04:13,560 So anything coming from the network 66 00:04:13,560 --> 00:04:18,560 10.0.0.0 port is 7,900 up to 7,905. 67 00:04:25,740 --> 00:04:30,367 And protocol is tcp. 68 00:04:31,410 --> 00:04:33,760 And that's what we are going to accept as well. 69 00:04:35,160 --> 00:04:37,650 Uh oh, forgetting something. 70 00:04:37,650 --> 00:04:39,420 We don't have the element 71 00:04:39,420 --> 00:04:43,170 and we don't have the element because it looks like a typo. 72 00:04:43,170 --> 00:04:44,910 We are missing port here. 73 00:04:44,910 --> 00:04:48,600 So the error is telling us invalid rule attribute port 74 00:04:48,600 --> 00:04:50,610 outside of any element. 75 00:04:50,610 --> 00:04:53,580 So after source we have the element source where 76 00:04:53,580 --> 00:04:55,110 we specify the address 77 00:04:55,110 --> 00:04:56,790 and then we have the element port where 78 00:04:56,790 --> 00:04:59,790 we specify the port rates and that should be doing it. 79 00:04:59,790 --> 00:05:02,450 There we go. Now it is successful. 80 00:05:02,450 --> 00:05:05,418 I wanted to make this error because these elements 81 00:05:05,418 --> 00:05:07,890 are a little bit confusing and when you see it 82 00:05:07,890 --> 00:05:10,260 in the documentation, you think, "oh this is a typo. 83 00:05:10,260 --> 00:05:13,200 We have port and port equals, that doesn't make sense." 84 00:05:13,200 --> 00:05:15,427 Well, it does make sense. 85 00:05:15,427 --> 00:05:20,427 OK, one more. And that is the rich rule where we 86 00:05:22,050 --> 00:05:27,050 are going to use service name=ssh log prefix="ssh" level= 87 00:05:38,947 --> 00:05:43,947 "notice" and limit value is two per minute. 88 00:05:47,280 --> 00:05:49,630 And that's what we are going to accept as well. 89 00:05:50,617 --> 00:05:53,793 Uh Oh, it's opening a secondary prompt. 90 00:05:55,020 --> 00:05:56,820 Why is it opening a secondary prompt? 91 00:05:56,820 --> 00:05:59,490 Well, for the simple reason that I made an error 92 00:05:59,490 --> 00:06:01,380 in the quotes, I used double quotes 93 00:06:01,380 --> 00:06:03,510 to the end instead of single quote. 94 00:06:03,510 --> 00:06:07,110 Now we're good. So at this point, what is going to happen 95 00:06:07,110 --> 00:06:10,713 if you use firewalls-cmd --list-all? 96 00:06:10,713 --> 00:06:13,860 Where are all my beautiful rich rules? 97 00:06:13,860 --> 00:06:15,960 Well, my beautiful rich rules aren't there 98 00:06:15,960 --> 00:06:19,140 because I've added all of them using -- permanent. 99 00:06:19,140 --> 00:06:22,320 And if you use -- permanent, you write it 100 00:06:22,320 --> 00:06:25,023 to the persistent configuration but not to ruin time. 101 00:06:25,860 --> 00:06:28,770 So I need to restart the firewalld 102 00:06:28,770 --> 00:06:30,630 and then I can do this list all again. 103 00:06:30,630 --> 00:06:34,560 And there we can see all the rules are being listed 104 00:06:34,560 --> 00:06:36,663 and that's how you add rich rules.