firewall-cmd & Rich Rules

"I am a dinosaur." - I get it, I really do. Change is hard.

I saw the passing of ipchains, and have lived to assemble monsters in iptables.

Firewalld is now a thing - although targetted at simplifying the host firewall. This was by far the most 'lights on' moment when I was learning about them - this is just intended to bucket off traffic into commonly used zones, either by source or similar, and allowing services within those zones to be exposed. Nice.

Sometimes it needs a little more. Sometimes you find yourself being asked to do more complicated things - such as working with rich rules.

Today I am venting a little on rich rules - precisely because of 'reasons'.
So yeah - I think I can cover these in two points without meandering about too much:

1// Hyphen
Readability is a nice thing. It is. However, if you are going to lead into something with:

firewall-cmd --permanent --add-rich-rule=' …'

I do not think it would be on the realms of standards to continue in at least a hyphenated manner so as opposed to these two examples:

'rule service name=ssh log prefix="SSHCONNECT " limit value 3/m'
'rule family=ipv4 source address= reject'

Where it is unclear if this is "rule" or "rule family" or indeed "source" or "source address". It is just kind of messy/inconsistent.
What about something a little more:

'service-name =ssh log-prefix="SSHCONNECT" limit-value=3/m'
'family=ipv4 source-address= reject'

Does it hard-need the rule statement at the beginning? If there are other options within 'rich rules' then surely the context should be apparent?

2// Autocomplete
Hopefully made simpler by the above as the space has now gone. So source to see what is available, equally completing with an equals or not depending on if it is needed.

Failing that drop back to rather than the halfway house of direct rules - actually having full on direct rules? For the two examples above

firewall-cmd --permanent --direct-rule' -p tcp --dport 22 --log-prefix="SSH CONNECT " -m limit --limit 3/min'
firewall-cmd --permanent --direct-rule=' --src= -j reject'

See that was not the "super long iptables commands" that are cited in tutorials, was it? No. Sure, yes, I have probably screwed those up too - but you get a general idea.

I do get that Systemd and Firewalld are super close buddies along with nmcli, and they are the future… along with the use of ip and ss which quite frankly may look good to a script but look awful to a human. Despite whatever you may think of any of them, we all need to be using them moving forward. They are the future. I get that also. I also grasp that iptables has had the chop entirely in some distributions… but seriously.. spaces.. lack of, and consistency with autocomplete.
Needless pain where you are trying to simplify matters? Have a word with yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: