Is there a way to allow an unprivileged process to add or remove IPs from a dedicated firewalld zone?

Rocky Linux Tech Help
1

Let’s say I have a custom firewalld zone named media with a default policy of DROP, and the ports 25000-25100/udp.

I have an application running as a user with low privileges, but it needs to be able to add or remove IPs from this media zone based on some conditions. It should NOT be able to change ports or add rules or do anything else other than just adding or removing IPs from this zone and this zone only.

I could write a script that runs as root and listens for requests from this user and accept only a single parameter (the IP), but I’m not sure if this is the best way or if some kind of API already exists that is better designed than whatever I can come up with.

Any advice is appreciated.

2

What about a short script sanitizing the input to verify it is a valid ip address and then runnning /usr/bin/firewall-cmd --zone=media --add-source=$1
And then allow the user to execute it with sudo
unprivileged_user ALL= NOPASSWD: /path/to/script.sh *
I guess if you properly sanizize the input the * should not be a security consideration. Or am I wrong?

1 Like
3

Yes, that will work.

Although, since the time I posted this, I found some great examples for dealing directly with netfilter:

add rule: nft-rule-add.c « examples - libnftnl - nftables netlink library
get rule: nft-rule-get.c « examples - libnftnl - nftables netlink library
del rule: nft-rule-del.c « examples - libnftnl - nftables netlink library

I’m not too sure if firewall-cmd adds each rule individually, or if it’s adding a set of rules. I’ve to check what exactly it does, but the examples above seems I could compile a binary that has the chain/table hardcoded and will only allow an IP address as the argument. I think this should perform much faster. It’ll be a fun experiment for the day.

It should then be okay to give sudo access to run this binary.

One thing I’m not very clear about is, if firewall-cmd will see that these changes were made (even though it’s actually active). But I could write an XML file also, just in case firewall-cmd is reloaded then it can reload the rules.

4

I just went over RHEL 9.5 release notes and found this new feature:

You can use both firewalld and nftables services simultaneously
The firewalld and nftables systemd services are available to use simultaneously. Previously, users could enable only one of these services at a time. With this enhancement, these systemd services no longer conflict with each other.

I guess you’ve already found a working solution and I am not sure if I get it right. But it seems like you could run firewalld and make your additions to nftables and rely solely on it for those additions and not care about notifiying firewalld.