Firewalld Cloudflare Proxy Whitelisting

But again, my suspicion it would be the order of priority that makes it all fall apart.
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'
MIGHT be able to fix that, if you insist on the two drop rules.
47 Replies
Akama Aka
Akama Aka•10mo ago
:
DarkDeviL
DarkDeviLOP•10mo ago
You can literally do whatever you prefer in that regards. E.g.: - Add logging to the two drop rules - Remove the drop rules (and hope the default LogDenied=all catches them) Whatever you prefer that way, is up to you.
Akama Aka
Akama Aka•10mo ago
So I've to remove these:
rule family="ipv6" source ipset="Cloudflarev6" service name="https" accept
rule family="ipv4" source ipset="Cloudflarev4" service name="http" accept
rule family="ipv6" source ipset="Cloudflarev6" service name="http" accept
rule family="ipv4" source ipset="Cloudflarev4" service name="https" accept
rule family="ipv4" source address="0.0.0.0/0" service name="http" log prefix="HTTP-/080-DROP: " drop
rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS/443-DROP: " drop
rule family="ipv6" source ipset="Cloudflarev6" service name="https" accept
rule family="ipv4" source ipset="Cloudflarev4" service name="http" accept
rule family="ipv6" source ipset="Cloudflarev6" service name="http" accept
rule family="ipv4" source ipset="Cloudflarev4" service name="https" accept
rule family="ipv4" source address="0.0.0.0/0" service name="http" log prefix="HTTP-/080-DROP: " drop
rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS/443-DROP: " drop
and add yours
DarkDeviL
DarkDeviLOP•10mo ago
Those should be fine, for logging what it drops there.
Akama Aka
Akama Aka•10mo ago
Okay
DarkDeviL
DarkDeviLOP•10mo ago
But if that doesn't help you, e.g. that it is still not logging anything, I'd suggest adding the priorities like above.
Akama Aka
Akama Aka•10mo ago
Okay
DarkDeviL
DarkDeviLOP•10mo ago
Normally, I'm not running with that firewall-cmd thing though. But AFAIK, priority=1 should win over e.g. priority=32767 in the example above. E.g. lowest number comes first and wins, - just like e.g. MX records.
Akama Aka
Akama Aka•10mo ago
yes Yes thanks I like firewalld more because its the only one that really works and also looks very good but the syntax is a bit yea. Its packed with features x3
DarkDeviL
DarkDeviLOP•10mo ago
Well I would probably hold back with your continuous mention of "the only one that really works" and such stuff. It only just shouting PEBKAC.
Akama Aka
Akama Aka•10mo ago
It looks like that it works
DarkDeviL
DarkDeviLOP•10mo ago
drop log, or priority?
Akama Aka
Akama Aka•10mo ago
Yes uhhh both Just Cloudflare Proxy is getting through and everything else is blocked :loveHeartHug: thanks I'll also menation everything of that and yea also Document it so I can understand it more thank you nvmd nmap still says that 80 and 443 is open
DarkDeviL
DarkDeviLOP•10mo ago
From where are you nmap'ing?
Akama Aka
Akama Aka•10mo ago
From my Laptop Local Device and Network
DarkDeviL
DarkDeviLOP•10mo ago
Sitting at the same LAN?
Akama Aka
Akama Aka•10mo ago
nop
DarkDeviL
DarkDeviLOP•10mo ago
Hm, wait a minute...
Akama Aka
Akama Aka•10mo ago
Okay :0047k3lly_think:
DarkDeviL
DarkDeviLOP•10mo ago
Are you nmap'ing through IPv4 or IPv6?
Akama Aka
Akama Aka•10mo ago
uhh both but I guess more IPv4 And I also added IPv6 dropping
DarkDeviL
DarkDeviLOP•10mo ago
Seems like failed to copy your IPv6 drop rules above (And adjusting etc. in my examples)
Akama Aka
Akama Aka•10mo ago
I jsut did that:
[root@v6108 ssl]# sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=32767 source address="::/0" service name="https" drop'
success
[root@v6108 ssl]# sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=32767 source address="::/0" service name="http" drop'
[root@v6108 ssl]# sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=32767 source address="::/0" service name="https" drop'
success
[root@v6108 ssl]# sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=32767 source address="::/0" service name="http" drop'
DarkDeviL
DarkDeviLOP•10mo ago
Do you still have:
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule source ipset="Systemadministration" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule source ipset="Systemadministration" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule source ipset="Systemadministration" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule source ipset="Systemadministration" service name="https" accept'
?
Akama Aka
Akama Aka•10mo ago
Nop I never added that Because that was just for the Local Servers I've
DarkDeviL
DarkDeviLOP•10mo ago
It was in the originally posted .txt in #general-discussions though. (But yeah, only holding RFC1918 addresses there)
Akama Aka
Akama Aka•10mo ago
Yes this txt file is idk 1-2 Years old and it still has the same typos :BL_TanaLaugh:
Akama Aka
Akama Aka•10mo ago
Its currently looking like that
No description
Akama Aka
Akama Aka•10mo ago
COuld it be because I added the ports? like firewall-cmd --permanent --add-port=80
DarkDeviL
DarkDeviLOP•10mo ago
They are not in your list there?
Akama Aka
Akama Aka•10mo ago
Its there:
No description
DarkDeviL
DarkDeviLOP•10mo ago
I would somehow suppose these ports override everything, yeah.
Akama Aka
Akama Aka•10mo ago
No description
Akama Aka
Akama Aka•10mo ago
Hm still saying open
DarkDeviL
DarkDeviLOP•10mo ago
Still appearing under ports: with that --info-zone command?
Akama Aka
Akama Aka•10mo ago
Strange yes oh nvmd forgot to add permanent :Facepalm: hm but still I also removed the services Ahhhh looks like its droping now
DarkDeviL
DarkDeviLOP•10mo ago
So it seems fine? Cloudflare allowed in, but everything else dropped?
Akama Aka
Akama Aka•10mo ago
Yes
DarkDeviL
DarkDeviLOP•10mo ago
Great. 🙂
Akama Aka
Akama Aka•10mo ago
No description
Akama Aka
Akama Aka•10mo ago
Thank you :loveHeartHug:
DarkDeviL
DarkDeviLOP•10mo ago
Should you want something that logs the HTTP(S) attempts to the above, you can simply add a logging directive with a priority that is lower than 32767, but greater than 1. 🙂
Akama Aka
Akama Aka•10mo ago
Okay thank you ^^
DarkDeviL
DarkDeviLOP•10mo ago
You're welcome. Glad I could help.
Akama Aka
Akama Aka•10mo ago
Do you know some good courses for firewalld or just the docuentation?
DarkDeviL
DarkDeviLOP•10mo ago
I don't know about any courses, no. Normally I would just stick to the official documentations for things (not specific to firewalld, or any other kind of firewall). And if that somehow fails with the official documentation, I would move on with e.g. Googling the issue, to see if something similar / close enough is popping up.
Akama Aka
Akama Aka•10mo ago
Okay o.o
Want results from more Discord servers?
Add your server