Zone sources not working

[endfx]

I have a machine with 1 interface and it is in the public zone.
I would like to enable SSH access but only for connections coming from 10.1.2.0/24.

I run:
firewall-cmd --permanent --zone=public --add-source=10.1.2.0/24
firewall-cmd --complete-reload

However SSH is still accessible from sources outside of 10.1.2.0/24.

Here is my public zone file:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <source address="10.1.2.0/24"/>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

I guess I'm misunderstanding the purpose of sources in zone files.
Can anybody tell me why the above isn't working?

Thanks.

[jyoung]

What does this produce?

Code: Select all

for zone in $( firewall-cmd --get-active-zones | egrep "^[A-Z]|^[a-z]|^[0-9]" ); do firewall-cmd --zone=$zone --list-all; done

[aks]

I found that if you wish to limit firewalld rules based on both port and source/destination address(es), you have to go with the rich rules withoin a custom zone. I'm not 100% sure, that's just what I ended up doing - and I could be wrong, because I'm not 100% sure of what the various pre-configured zones really mean.