Hi Chris, I know the minimum about firewalld, but here's some random info that might help. I glanced at those "rich rules" to do "something special" and I got the collywobbles. A simpler thing is "direct". In the firewalld::direct puppet module (and in firewalld in general) there is the idea of "direct" rules, which you just inject straight in, no nonsense. It lets you do anything you like (with the associated risks attached.) So the config looks the same as iptables. https://firewalld.org/documentation/man-pages/firewalld.direct.html So I put direct firewalld constraints in puppet/hiera. Perhaps if an RPM upgrade overwrites it, then puppet would "overwrite it back" after a while? And yes, I can see possible problems over that... hence you have to step over those crevasses carefully. Anyway, you can use a "direct" hack to configure your perfsonar box just as it would be in iptables. BTW: We don't use it for that; I use it to put in permanent NAT rules. Here's a piece of Hiera yaml that shows it. The syntax is quite familiar. classes: - firewalld::direct ... firewalld::direct::rules: - ipv: "ipv4" table: "nat" chain: "OUTPUT" priority: "0" args: " -d 138.253.178.105/32 -j DNAT --to-destination 192.168.178.105 " - ipv: "ipv4" table: "nat" chain: "OUTPUT" priority: "0" args: " -d 138.253.178.106/32 -j DNAT --to-destination 192.168.178.106 " ... Cheers, Ste On 11/10/18 09:33, Chris Brew - UKRI STFC wrote: > Hi All, > > Does anyone have a recipe for permanently modifying the firewall rules on their PerfSONAR boxes? > > I’d like to restrict the ssh to local networks and open it up to our monitoring systems but the only help in the PerfSONAR doc<https://docs.perfsonar.net/manage_security.html>s is: > > For operating systems using firewalld (e.g. CentOS 7) it organizes the rules into “zones” and makes it more difficult to distinguish perfSONAR rules from custom rules. If you add a standard service to the zone it will get overwritten next time perfsonar-toolkit-security upgrades. We recommend looking at firewalld rich rules<https://fedoraproject.org/wiki/Features/FirewalldRichLanguage> for adding custom rules. > > And I haven’t yet had chance to get my head round firewalld yet (it’s on my todo list, I expect to get to it sometime in after I retire, if nothing else comes up in the meantime). > > Yours, > Chris. > > ######################################################################## > > To unsubscribe from the TB-SUPPORT list, click the following link: > https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 -- Steve Jones [log in to unmask] Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/ ######################################################################## To unsubscribe from the TB-SUPPORT list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1