``` sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0

K

Kasumi•3/21/24, 10:41 PM

Should be. Because it worked once

KKasumi Click to see attachment

D

DarkDeviLOP•3/21/24, 10:42 PM

Since you have the above two DROP rules, it will NEVER get to

LogDenied=all

LogDenied=all

.

DDarkDeviL ``` sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4"...

K

Kasumi•3/21/24, 10:42 PM

Never learned how to enable the logging for it

D

DarkDeviLOP•3/21/24, 10:43 PM

In addition the above mentions, you can also play with the priority, if needed.

K

Kasumi•3/21/24, 10:45 PM

Never used that

D

DarkDeviLOP•3/21/24, 10:45 PM

The same (e.g. the order matters) happens with

iptables -A

iptables -A

iptables -A

iptables -A and

iptables -I [optional_position]

iptables -I [optional_position]

iptables -I [optional_position]

iptables -I [optional_position].

If you already have a previous rule matching, then appending with

iptables -A

iptables -A

iptables -A

iptables -A, the new rule you add would never match, you would need

iptables -I [optional_position]

iptables -I [optional_position]

iptables -I [optional_position]

iptables -I [optional_position] to insert it before the previous rule.

K

Kasumi•3/21/24, 10:45 PM

Do I need to remove all ingress rules or can I re place then

K

Kasumi•3/21/24, 10:46 PM

Its like that rn

K

Kasumi•3/21/24, 10:48 PM

In the offline one it looks like that

D

DarkDeviLOP•3/21/24, 10:50 PM

Assuming you want logging for the two DROP rules you have, you could try something like:

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="http" log prefix="HTTP-/080-DROP: " drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS/443-DROP: " drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="http" log prefix="HTTP-/080-DROP: " drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS/443-DROP: " drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="http" log prefix="HTTP-/080-DROP: " drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS/443-DROP: " drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="http" log prefix="HTTP-/080-DROP: " drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS/443-DROP: " drop'

K

Kasumi•3/21/24, 10:51 PM

okay

D

DarkDeviLOP•3/21/24, 10:51 PM

At this point, I'm not sure if "/" is an acceptable character there though.

D

DarkDeviLOP•3/21/24, 10:51 PM

However:

K

Kasumi•3/21/24, 10:51 PM

but I have to remove the accept ones and drop ones and add them new=

KKasumi Click to see attachment

D

DarkDeviLOP•3/21/24, 10:52 PM

Stuff like what you see here: "filter_IN_dmz_REJECT"

D

DarkDeviLOP•3/21/24, 10:52 PM

HTTP-/080-DROP:

HTTP-/080-DROP:

HTTP-/080-DROP:

HTTP-/080-DROP: and

HTTPS/443-DROP:

HTTPS/443-DROP:

HTTPS/443-DROP:

HTTPS/443-DROP: will literally be the tag in the above example

D

DarkDeviLOP•3/21/24, 10:52 PM

The

-/080

-/080

-/080

-/080 is just an example for alignment purposes, so they have the same length...

K

Kasumi•3/21/24, 10:53 PM

okay

D

DarkDeviLOP•3/21/24, 10:53 PM

If the

complains, you can name them

INSECURE-HTTP-DROP

INSECURE-HTTP-DROP

INSECURE-HTTP-DROP

INSECURE-HTTP-DROP and

SECURE-HTTP-DROP

SECURE-HTTP-DROP

SECURE-HTTP-DROP

SECURE-HTTP-DROP/

SECURE-HTTPS-DROP

SECURE-HTTPS-DROP

SECURE-HTTPS-DROP

SECURE-HTTPS-DROP instead or whatever you prefer.

K

Kasumi•3/21/24, 10:54 PM

Okay so I can just paste it and remove the old drops?

D

DarkDeviLOP•3/21/24, 10:54 PM

Yes.

K

Kasumi•3/21/24, 10:54 PM

Okay

K

Kasumi•3/21/24, 10:54 PM

I'll try

K

Kasumi•3/21/24, 10:59 PM

Should I replace the Cloudflare IPSet and accept rules in the one file to the top and everything to the bottom?

K

Kasumi•3/21/24, 10:59 PM

dont want to remove everything :gx_laugh:

D

DarkDeviLOP•3/21/24, 11:00 PM

But again, my suspicion it would be the order of priority that makes it all fall apart.

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="https" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=1 source ipset="Cloudflarev4" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv6" priority=1 source ipset="Cloudflarev6" service name="http" accept'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="http" drop'
sudo firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family="ipv4" priority=32767 source address="0.0.0.0/0" service name="https" drop'

MIGHT be able to fix that, if you insist on the two drop rules.

C

Cyb3r-Jak3•3/21/24, 11:00 PM

Could this pleased be moved to a thread.

CCyb3r-Jak3 Could this pleased be moved to a thread.

K

Kasumi•3/21/24, 11:00 PM

:thumbsUpYesAbsolutely:

CCyb3r-Jak3 Could this pleased be moved to a thread.

D

DarkDeviLOP•3/21/24, 11:01 PM

I was actually thinking myself to suggest we moved it to #off-topic, as it is somewhat more firewall than Cloudflare now, but I'll

on thread too.

E

Erisa•3/21/24, 11:18 PM

Thread is fine, no need for off-topic

K

Kasumi•3/21/24, 11:18 PM

Yes

R

Ray•3/21/24, 11:25 PM

K

Kasumi•3/21/24, 11:25 PM

Soon

A

addison•3/22/24, 4:37 AM

any reason why a video proxied from b2 to cloudflare would not let you seek?

P

Pato•3/22/24, 10:57 AM

how will older devices be affected by let's encrypt upcoming change? like suppose I am using an app that connects to an API that uses that certificate. what will happen?

Original message was deleted

P

Pato•3/22/24, 11:19 AM

so connection will be terminated

Original message was deleted

P

Pato•3/22/24, 11:20 AM

or not terminated but just not be established even

PPato or not terminated but just not be established even

H

Hello, I’m Allie!•3/22/24, 11:20 AM

It won't be established at all