using firewalld and firewall-cmd how to add-rule to primary INPUT chain not INPUT_direct
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
Chris
1116
add a comment |
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
Chris
1116
add a comment |
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
Chris
1116
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
Chris
1116
asked Oct 7 '15 at 18:24
Chris
1116
asked Oct 7 '15 at 18:24
Chris
1116
asked Oct 7 '15 at 18:24
Chris
1116
asked Oct 7 '15 at 18:24
Chris
1116
1116
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
Chris
1116
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f983589%2fusing-firewalld-and-firewall-cmd-how-to-add-rule-to-primary-input-chain-not-inpu%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
Chris
1116
add a comment |
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
Chris
1116
add a comment |
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
Chris
1116
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
Chris
1116
edited Nov 4 '15 at 22:46
answered Oct 26 '15 at 17:18
Chris
1116
answered Oct 26 '15 at 17:18
Chris
1116
answered Oct 26 '15 at 17:18
Chris
1116
1116
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f983589%2fusing-firewalld-and-firewall-cmd-how-to-add-rule-to-primary-input-chain-not-inpu%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
