How can I configure firewall with custom rules?

In the earlier versions of Leap I used yast firewall to configure custom rules, that allowed me me to add specific ips with ports/ranges and everything worked fine.

In the new version, I see that things have changed, since now firewalld is the default firewall and yast firewall utility does not have all the GUI options for this.

I’m hoping you can help me figure out how to accomplish following:

I have 2 groups of ipv4 that need to access the machine.

group 1 needs ports: 3345 TCP, 3346 TCP and 5000-10000 UDP range
group 2 needs ports: 3345 TCP, 3346 TCP and 5000-10000 UDP range as well as port 22 TCP

If I understand correctly, I need to create ipsets. So one ipset will have group 1 ips, and secons ipset will have group 2 ips.

My questions are:

  1. How do I tie 2 different ipsets with specific ports to same “external” interface?

  2. IPs in the groups mentioned above can change, so I need to write a script that retrieves fresh ips, updates the ipsets and reloads firewall. What’s the correct way to do this? Can I overwrite a file somewhere in /etc/ ? Where are ipsets ips stored? (In SuseFirewall2 I used to inject a custom line in the config file and restart service)

I know I’ve asked a lot of questions but I hope I’ve clearly described what I am trying to accomplish. If not, please let me know and I can provide more detail.

Your advice is greatly appreciated.

This blog might be helpful to you…

It’s difficult to answer because we do not know where you are starting from.

Are you using;
The firewall-config graphical interface
manually editing /etc/firewalld/* and the xml files

I would suggest using firewall-config to create the ipsets and ass the initial members (they can be pulled from a text file), and your Rich Rules for the desired zone.

Then use a shell script to modify (update /etc/firewalld/ipsets/groupx.xml