Firewalld implements a zone concept. To allow access to services based on the source address, just create a new zone, add source addresses and services to the zone and you are done.
Here is an example.
First we create a new zone named test
Code:
firewall-cmd --permanent --new-zone=test
This new zone shall be effective for source in the 10.100.250.0/24 address range
I"m installing my ATI card in FC4. I'm going off of instructions that i've found. The firs step says that i need my kernel sources which i've got then it says that i've gotta unpack them so i can make links to the file later. My kernel sources that i've got are .src.rpm I've installed them but... (1 Reply)
So, I was browsing groklaw.net, and I was surprised to read that Pamela Jones was reading the copyright notices in the UnixWare 7.1.1 source code files...
Groklaw - Santa Cruz Listed Novell as Owning the Copyrights in 1999
How can that be? Are the UnixWare 7.1.1 sources available to the... (1 Reply)
I had a doubt if any services need to be restarted if port no in /etc/services in an RHEL setup is changed. For eg, the port no of 443 for SSL may need to be changed.
I hope my query is clear whether any services need to be restarted if port no in /etc/services is changed.
Please revert with... (10 Replies)
Hi,
I just started working on a script. After my research, i found a command which can help me:
AIM: To build a script which starts the services (Services 1) on server 1 automatically whenever its down. And it has a dependency on other service (Service 2) on Server 2.
So my script has to... (4 Replies)
Hi,
What is the syntax to configure sntp client to have multiple time sources?
I tried to use the below syntax, but when the src1 is not reachable, the sntp does not even try to sync to src2:
# /usr/sbin/sntp -P no -r src1 src2
sntp: receive timed out after 3 seconds
sntp: receive timed... (0 Replies)
I am working in IT company working for banks.I find hardly to get technology about bank IT on the internet.Consider banks all using Unix, I think I can get some help here.
Recommend some sits or books about bank IT will be very helpful!! (0 Replies)
New to firewalld, and having an issue trying to emulate my old iptable ruleset.
Server has one network interface, which I usually only allow SSH in from certain IPs, I know I can do this with rich rules but have read that this is sub-optimal.
So, I created a new zone, ABCinternal, added a... (8 Replies)
Discussion started by: fishface
8 Replies
LEARN ABOUT CENTOS
firewalld.lockdown-whitelist
FIREWALLD.LOCKDOWN(5) firewalld.lockdown-whitelist FIREWALLD.LOCKDOWN(5)NAME
firewalld.lockdown-whitelist - firewalld lockdown whitelist configuration file
SYNOPSIS
/etc/firewalld/lockdown-whitelists.xml
DESCRIPTION
The firewalld lockdown-whitelist configuration file contains the selinux contexts, commands, users and user ids that are white-listed when
firewalld lockdown feature is enabled (see firewalld.conf(5) and firewall-cmd(1)).
This example configuration file shows the structure of an lockdown-whitelist file:
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<selinux context="selinuxcontext"/>
<command name="commandline[*]"/>
<user {name="username|id="userid"}/>
</whitelist>
OPTIONS
The config can contain these tags and attributes. Some of them are mandatory, others optional.
whitelist
The mandatory whitelist start and end tag defines the lockdown-whitelist. This tag can only be used once in a lockdown-whitelist
configuration file. There are no attributes for this.
selinux
Is an optional empty-element tag and can be used several times to have more than one selinux contexts entries. A selinux entry has exactly
one attribute:
context="string"
The context is the security (SELinux) context of a running application or service.
To get the context of a running application use ps -e --context and search for the application that should be white-listed.
Warning: If the context of an application is unconfined, then this will open access for more than the desired application.
command
Is an optional empty-element tag and can be used several times to have more than one command entry. A command entry has exactly one
attribute:
name="string"
The command string is a complete command line including path and also attributes.
If a command entry ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the
absolute command inclusive arguments must match.
Commands for user root and others is not always the same, the used path depends on the use of the PATH environment variable.
user
Is an optional empty-element tag and can be used several times to white-list more than one user. A user entry has exactly one attribute of
these:
name="string"
The user with the name string will be white-listed.
id="integer"
The user with the id userid will be white-listed.
SEE ALSO firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
firewalld.zones(5)NOTES
firewalld home page at fedorahosted.org:
http://fedorahosted.org/firewalld/
More documentation with examples:
http://fedoraproject.org/wiki/FirewallD
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
firewalld 0.3.9 FIREWALLD.LOCKDOWN(5)