Firewalld and mixed access question

Discussions in English on using Fedora
#1

Let’s say that I want to allow access to an iperf3 server on ports 5201/tcp|5201/udp from any source, i.e. from any subnet on our WAN.

At the same time, I want to restrict access to an rsyncd service on port 873/tcp|873/udp to only the LAN subnet, e.g. 192.168.1.0/24.

How do I go about doing that?

Do I have to create a zone with a --add-source=192.168.1.0/24 and add the rsyncd service to that zone?

Or do I have to add the interface to the public zone and add the iperf3 service to that?

Or do I need to add a destination= to the rsyncd.xml profile?

Or should I go about this some other way?

1 Like
#2

If you have multiple interfaces, assign them to different zones allowing services per zone.

Otherwise, use the rich rule syntax:

firewall-cmd --permanent --remove-service rsyncd
firewall-cmd --permanent --add-rich-rule="rule \
    family=ipv4 source address=192.168.1.0/24 service name=rsyncd accept"
firewall-cmd --reload
#3

That looks perfect and very straight forward. I’ve been avoiding learning about rich rules out of sheer ignorance.

Thank you.

1 Like