Using rich rules
The firewalld rich language allows an administrator to easily configure more complex firewall rules without having knowledge of the iptables syntax. This can include logging and examination of the source address.
To add a rule to allow NTP connection on the default zone, but logging the connection at no more than 1 per minute, use the following command:
# firewall-cmd --permanent \ --add-rich-rule='rule service name="ntp" audit limit value="1/m" accept' # firewall-cmd --reload
Similarly, we can add a rule that only allows access to the squid service from one subnet only:
# firewall-cmd --permanent \ --add-rich-rule='rule family="ipv4" \ source address="192.166.0.0/24" service name="squid" accept' # firewall-cmd --reload
From the following screenshot, we can see the rich rule being added:
Note
The Fedora project maintains the documentation for rich rules in
firewalld and these can be accessed at https://fedoraproject.org/wiki/Features/FirewalldRichLanguage should you need...
