How to Allow All Ports for a Specific IP in Firewalld on RHEL 7


4 views

When working with RHEL 7's firewalld, you might encounter situations where you need to grant a specific IP address unrestricted access to all TCP ports. The challenge comes when trying to implement this using rich rules, as the wildcard (*) port syntax isn't directly supported.

The command you tried:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="64.39.96.0/20" port protocol="tcp" port="*" accept'

fails because firewalld's rich rule syntax doesn't support wildcards for ports. The port parameter expects either a specific port number or a port range.

Here are three effective approaches to solve this requirement:

Method 1: Using a Direct Rule

The most straightforward way is to use firewalld's direct interface:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 64.39.96.0/20 -j ACCEPT
firewall-cmd --reload

This bypasses firewalld's abstraction layer and adds a direct iptables rule.

Method 2: Creating a Custom Zone

A more firewalld-native approach:

firewall-cmd --permanent --new-zone=trusted_ip
firewall-cmd --permanent --zone=trusted_ip --add-source=64.39.96.0/20
firewall-cmd --permanent --zone=trusted_ip --set-target=ACCEPT
firewall-cmd --reload

Method 3: Multiple Rich Rules (for specific port ranges)

If you need to stick with rich rules and can define port ranges:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="64.39.96.0/20" port port="1-65535" protocol="tcp" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="64.39.96.0/20" port port="1-65535" protocol="udp" accept'
firewall-cmd --reload

After implementing any of these solutions:

firewall-cmd --list-all --zone=public
# Or for direct rules:
iptables -L -n -v | grep 64.39.96.0/20

While opening all ports might be necessary in some scenarios (like internal networks or VPN connections), consider:

  • Using more restrictive ranges when possible
  • Implementing additional security measures (like fail2ban)
  • Regularly reviewing these rules

When trying to open all ports to a specific IP range using firewalld on RHEL 7, many administrators hit a roadblock with the wildcard (*) port syntax. The error occurs because firewalld's rich rules don't support wildcards for port specifications in the traditional sense.

Firewalld handles port access differently than traditional iptables. Instead of opening all ports explicitly, we need to:

  • Create a rule that matches all traffic from the specified IP
  • Omit port restrictions entirely for that source
  • Apply the rule to the appropriate zone

Here's the correct command to allow all traffic from a specific IP range without port restrictions:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="64.39.96.0/20" accept'

After applying the rule:

# Reload firewall
firewall-cmd --reload

# Verify the rule
firewall-cmd --list-rich-rules

For more granular control, you can combine this with service definitions:

# Alternative approach using services
firewall-cmd --permanent --zone=public --add-source=64.39.96.0/20
firewall-cmd --permanent --zone=public --add-service=any-service

While opening all ports might be necessary in some scenarios, consider:

  • Using more specific port ranges when possible
  • Combining with IPSec or VPN solutions for sensitive environments
  • Implementing additional monitoring for the allowed IP range