Home / server / Questions / 1144410
Accepted
huthut28
Asked: 2023-09-25 20:03:31 +0800 CST

Are rich-rules in firewalld applied before or after regular zone rules with a default "DROP" policy?

  • 772

As far as I know, there are 2 main ways to add rules in firewalld, normal "zone" rules and rich-rules. Also, I understand that when we set target="DROP, all new incoming connections will be dropped unless we add rules to allow selected incoming traffic.

I want to ask is there any standard pattern in which the firewalld rules will be applied to an incoming packet when we add new rules using regular zone rules vs rich-rules?

For example, is this the order in which firewalld rules will always be applied:

  1. Normal rules
  2. Rich rules
  3. Default drop policy rule
firewalld

1 Answers

  1. Best Answer

    Rules in firewalld have priorities, and rules are applied so that the one with the lower priority gets evaluated first. If two contradictory rules have the same priority, the outcome is undefined.

    The priorities are:

    • Rich rules have a priority of 0, unless explicitly specified, in which case, they have the specified priority. Priorities can be between -32768 and 32767.
    • Services have a priority of 0.
    • Default zone rules (i.e. specified by --set-target) are processed last.

    So if you have a target=DROP specified for a zone, any contradictory rule negates this. So adding a service or a rich rule will allow the service or rule in question. If you have a service, and a contradictory rich rule with a priority less than zero, the rich rule will have precedence. If a contradictory rich rule has a priority greater that zero, it is a no-op.

    • 2