Firewalld management

Dr I asked:

As I asked it on this topic’s comments: block all but a few ips with firewalld

I’m looking for a way to deny all public IPs except for mine on the public zone of firewalld.

For now, my public zone just have ssh/http/https services and I have specified sources IP has required all over the internet.

The thing is that I don’t get why firewalld is not filtering the source IPs as requested?

Normally, from what I understand, specifing to the zone the source IPs ask Firewalld to drop all requests excepts those coming from the specified IPs.

But on my box it’s not working as I’m able to connect on the machine from home which is not one of the specified source IPs.

Some suggest to create a new zone named “Internal/Other” the thing is that I only have one public interface as the server is not on a private lan, so why should I create/use another zone as the public zone should drop all IPs except those specified on the source list.

Does Firewalld Public zone make the services added on it open to the world automatically?

If I create a second zone named internal, with only the ssh service and sources IPs, and then link this zone to my eth0, will firewalld block all not “sourced” IPs ?

Of course doing such a process will suppose that I remove ssh service from the public zone served services.

My firewall is:

[root@groot ~]# firewall-cmd --list-all-zones
block
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

dmz
  interfaces:
  sources:
  services: ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

drop (default)
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

external
  interfaces:
  sources:
  services: ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

home
  interfaces:
  sources:
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

internal (active)
  interfaces: eth0
  sources: 192.168.0.0/24
  services: ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

public
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

trusted
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

work
  interfaces:
  sources:
  services: dhcpv6-client ipp-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

My answer:


This looks like your problem:

internal (active)
  interfaces: eth0
  sources: 192.168.0.0/24

If you specify both interfaces and source IP addresses for a zone, then that zone matches for traffic from either the interface or the source IP addresses.

If you want the zone to match for only source IP addresses, remove the interface from it.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.