1 00:00:07,020 --> 00:00:09,900 - So we are going to do this on the main machine, 2 00:00:09,900 --> 00:00:11,100 the center west machine. 3 00:00:12,693 --> 00:00:15,510 And we need to think about incoming traffic only allowed 4 00:00:15,510 --> 00:00:18,210 if it comes from the default router IP address. 5 00:00:18,210 --> 00:00:19,830 So we need a source as well. 6 00:00:19,830 --> 00:00:20,663 And that means 7 00:00:20,663 --> 00:00:24,570 that we should probably have a look at rich rules. 8 00:00:24,570 --> 00:00:28,593 So man firewalld.richlanguage. 9 00:00:32,430 --> 00:00:35,280 And let's check if there is an example 10 00:00:35,280 --> 00:00:38,520 that is doing what we want it to do. 11 00:00:38,520 --> 00:00:43,353 And here we can see something pretty accurate. 12 00:00:45,600 --> 00:00:46,833 Let me copy this. 13 00:00:49,950 --> 00:00:53,970 And let me use firewall-cmd - -add-rich-rule 14 00:01:03,390 --> 00:01:06,827 rule is single quote, paste. 15 00:01:09,660 --> 00:01:12,390 Let me not forget the closing single quote. 16 00:01:12,390 --> 00:01:16,470 We don't need the logging information. 17 00:01:16,470 --> 00:01:18,273 So we can remove all of this. 18 00:01:20,580 --> 00:01:23,730 We can work with the service name ftp, 19 00:01:23,730 --> 00:01:27,090 instead of tftp and the source address. 20 00:01:27,090 --> 00:01:30,180 Well the source address should be the default gateway. 21 00:01:30,180 --> 00:01:32,100 That is 29.2. 22 00:01:32,100 --> 00:01:34,140 So this should be doing it. 23 00:01:34,140 --> 00:01:37,710 Oh boy, bad attribute 'rule'. 24 00:01:37,710 --> 00:01:41,730 So, what's going on? 25 00:01:41,730 --> 00:01:45,240 Well, in cases like this where the syntax is confusing you, 26 00:01:45,240 --> 00:01:46,530 I would advise you use 27 00:01:46,530 --> 00:01:51,530 firewall-cmd - -help | grep add-rich 28 00:01:52,500 --> 00:01:54,780 and it should give you enough. 29 00:01:54,780 --> 00:01:58,470 So add-rich-rule is . 30 00:01:58,470 --> 00:02:01,260 Ah, now I understand what I've done wrong. 31 00:02:01,260 --> 00:02:03,960 Directly after add-rich-rule, 32 00:02:03,960 --> 00:02:07,290 we can specify the equals sign and then the rule. 33 00:02:07,290 --> 00:02:10,323 So we have too much information in this line. 34 00:02:11,640 --> 00:02:14,940 I like this approach to do a quick check 35 00:02:14,940 --> 00:02:18,240 of the syntax using firewall-cmd - -help, 36 00:02:18,240 --> 00:02:19,890 grep whatever you want to grep. 37 00:02:19,890 --> 00:02:22,143 And in most cases this does make sense. 38 00:02:23,130 --> 00:02:25,620 Now I added this to runtime. 39 00:02:25,620 --> 00:02:28,440 Let's also add it to permanent 40 00:02:28,440 --> 00:02:30,780 so that the configuration is persistent. 41 00:02:30,780 --> 00:02:35,310 And let's verify firewall-cmd - -list-all. 42 00:02:35,310 --> 00:02:38,370 Where we can see that a couple of rich-rules 43 00:02:38,370 --> 00:02:40,170 exist at this point. 44 00:02:40,170 --> 00:02:42,540 And this is what we want. 45 00:02:42,540 --> 00:02:44,760 Name is "ftp" accept. 46 00:02:44,760 --> 00:02:48,480 That's only going to accept incoming ftp traffic 47 00:02:48,480 --> 00:02:50,880 if it is from 29.2. 48 00:02:50,880 --> 00:02:51,780 So that's all. 49 00:02:51,780 --> 00:02:52,613 Now we're done.