using firewalld and firewall-cmd how to add-rule to primary INPUT chain not INPUT_direct












1














so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure



 firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>


what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so



 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT


i then add a second rule like so



 firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP


these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick



 iptables -L INPUT


shows the INPUT chain as this



 Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


and the INPUT_direct as



 Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US


this may work for some, but if i run



 ping france.fr


I get as a result



 PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms


this is more than likely due to the INPUT rule #1



 iptables  -L INPUT 1

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED


I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so



 iptables -L INPUT


shows this instead



 Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes



 iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP


and if that is the option where do I place this script?










share|improve this question



























    1














    so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure



     firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>


    what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so



     firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT


    i then add a second rule like so



     firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP


    these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick



     iptables -L INPUT


    shows the INPUT chain as this



     Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    INPUT_direct all -- anywhere anywhere
    INPUT_ZONES_SOURCE all -- anywhere anywhere
    INPUT_ZONES all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere ctstate INVALID
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


    and the INPUT_direct as



     Chain INPUT_direct (1 references)
    target prot opt source destination
    ACCEPT all -- 192.168.0.0/24 anywhere
    DROP all -- anywhere anywhere -m geoip ! --source-country US


    this may work for some, but if i run



     ping france.fr


    I get as a result



     PING france.fr (46.18.192.148) 56(84) bytes of data.
    64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
    64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
    64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms


    this is more than likely due to the INPUT rule #1



     iptables  -L INPUT 1

    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED


    I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so



     iptables -L INPUT


    shows this instead



     Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- 192.168.0.0/24 anywhere
    DROP all -- anywhere anywhere -m geoip ! --source-country US
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    INPUT_direct all -- anywhere anywhere
    INPUT_ZONES_SOURCE all -- anywhere anywhere
    INPUT_ZONES all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere ctstate INVALID
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


    I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes



     iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
    iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP


    and if that is the option where do I place this script?










    share|improve this question

























      1












      1








      1







      so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure



       firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>


      what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so



       firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT


      i then add a second rule like so



       firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP


      these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick



       iptables -L INPUT


      shows the INPUT chain as this



       Chain INPUT (policy ACCEPT)
      target prot opt source destination
      ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
      ACCEPT all -- anywhere anywhere
      INPUT_direct all -- anywhere anywhere
      INPUT_ZONES_SOURCE all -- anywhere anywhere
      INPUT_ZONES all -- anywhere anywhere
      ACCEPT icmp -- anywhere anywhere
      DROP all -- anywhere anywhere ctstate INVALID
      REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


      and the INPUT_direct as



       Chain INPUT_direct (1 references)
      target prot opt source destination
      ACCEPT all -- 192.168.0.0/24 anywhere
      DROP all -- anywhere anywhere -m geoip ! --source-country US


      this may work for some, but if i run



       ping france.fr


      I get as a result



       PING france.fr (46.18.192.148) 56(84) bytes of data.
      64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
      64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
      64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms


      this is more than likely due to the INPUT rule #1



       iptables  -L INPUT 1

      ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED


      I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so



       iptables -L INPUT


      shows this instead



       Chain INPUT (policy ACCEPT)
      target prot opt source destination
      ACCEPT all -- 192.168.0.0/24 anywhere
      DROP all -- anywhere anywhere -m geoip ! --source-country US
      ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
      ACCEPT all -- anywhere anywhere
      INPUT_direct all -- anywhere anywhere
      INPUT_ZONES_SOURCE all -- anywhere anywhere
      INPUT_ZONES all -- anywhere anywhere
      ACCEPT icmp -- anywhere anywhere
      DROP all -- anywhere anywhere ctstate INVALID
      REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


      I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes



       iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
      iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP


      and if that is the option where do I place this script?










      share|improve this question













      so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure



       firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>


      what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so



       firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT


      i then add a second rule like so



       firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP


      these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick



       iptables -L INPUT


      shows the INPUT chain as this



       Chain INPUT (policy ACCEPT)
      target prot opt source destination
      ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
      ACCEPT all -- anywhere anywhere
      INPUT_direct all -- anywhere anywhere
      INPUT_ZONES_SOURCE all -- anywhere anywhere
      INPUT_ZONES all -- anywhere anywhere
      ACCEPT icmp -- anywhere anywhere
      DROP all -- anywhere anywhere ctstate INVALID
      REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


      and the INPUT_direct as



       Chain INPUT_direct (1 references)
      target prot opt source destination
      ACCEPT all -- 192.168.0.0/24 anywhere
      DROP all -- anywhere anywhere -m geoip ! --source-country US


      this may work for some, but if i run



       ping france.fr


      I get as a result



       PING france.fr (46.18.192.148) 56(84) bytes of data.
      64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
      64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
      64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms


      this is more than likely due to the INPUT rule #1



       iptables  -L INPUT 1

      ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED


      I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so



       iptables -L INPUT


      shows this instead



       Chain INPUT (policy ACCEPT)
      target prot opt source destination
      ACCEPT all -- 192.168.0.0/24 anywhere
      DROP all -- anywhere anywhere -m geoip ! --source-country US
      ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
      ACCEPT all -- anywhere anywhere
      INPUT_direct all -- anywhere anywhere
      INPUT_ZONES_SOURCE all -- anywhere anywhere
      INPUT_ZONES all -- anywhere anywhere
      ACCEPT icmp -- anywhere anywhere
      DROP all -- anywhere anywhere ctstate INVALID
      REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


      I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes



       iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
      iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP


      and if that is the option where do I place this script?







      networking command-line fedora iptables firewalld






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Oct 7 '15 at 18:24









      Chris

      1116




      1116






















          1 Answer
          1






          active

          oldest

          votes


















          0














          at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be



           firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
          firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
          firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
          firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP


          currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd



          I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied



          I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f983589%2fusing-firewalld-and-firewall-cmd-how-to-add-rule-to-primary-input-chain-not-inpu%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be



             firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
            firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
            firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
            firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP


            currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd



            I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied



            I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice






            share|improve this answer




























              0














              at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be



               firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
              firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
              firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
              firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP


              currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd



              I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied



              I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice






              share|improve this answer


























                0












                0








                0






                at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be



                 firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
                firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
                firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
                firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP


                currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd



                I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied



                I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice






                share|improve this answer














                at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be



                 firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
                firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
                firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
                firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP


                currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd



                I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied



                I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 4 '15 at 22:46

























                answered Oct 26 '15 at 17:18









                Chris

                1116




                1116






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f983589%2fusing-firewalld-and-firewall-cmd-how-to-add-rule-to-primary-input-chain-not-inpu%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Сан-Квентин

                    8-я гвардейская общевойсковая армия

                    Алькесар