FirewallD and trusted IP addresses

Danila Vershinin
Jul 10 · 1 min read

FirewallD has a very nice concept of zones and it has some predefined ones.

When you need to whitelist a particular IP and label it as “trusted” on the system, then the trusted FirewallD is the thing you will play with.

Another modern thing is ipsets, which FirewallD supports well. The ipsets are useful to efficiently store and lookup many IP addresses.

So combining all the features together, we can whitelist many IP addresses in a clean and efficient way:

First, create 2 ipsets: one for IPv4 and the other for IPv6:

firewall-cmd --permanent --new-ipset=whitelist4 --type=hash:net --option=maxelem=256 --option=family=inet --option=hashsize=4096
firewall-cmd --permanent --new-ipset=whitelist6 --type=hash:net --option=maxelem=256 --option=family=inet6 --option=hashsize=4096

Next, tell FirewallD that clients from those IP addresses belong to the trusted zone:

firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist4
firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelist6

Whitelist an IP, and apply your changes:

firewall-cmd --ipset=whitelist4 --add-entry=1.2.3.4 --permanent
firewall-cmd --reload

Originally published at GetPageSpeed.

Danila Vershinin

Written by

Performance Oriented DevOp