I would like to restrict SSH access to few IP addresses.
# firewall-cmd --get-default-zone
my_zone
# firewall-cmd --list-all
my_zone (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources: ipset:my_ipset
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --info-ipset=my_ipset
my_ipset
type: hash:ip
options:
entries: 10.1.1.1 10.2.2.2
But any IP can connect with SSH
Filtering with firewalld doesn't work
Re: Filtering with firewalld doesn't work
Every interface has a zone.
A package comes in.
If it is from 10.1.1.1 or 10.2.2.2, then it goes to zone my_zone that allows ssh.
Else it goes to interface eth0's zone my_zone that allows ssh.
Have two zones:
A has only the sources, but no interface, and allows ssh.
B is on interface eth0 and does not allow ssh.
A package comes in.
If it is from 10.1.1.1 or 10.2.2.2, then it goes to zone my_zone that allows ssh.
Else it goes to interface eth0's zone my_zone that allows ssh.
Have two zones:
A has only the sources, but no interface, and allows ssh.
B is on interface eth0 and does not allow ssh.
Re: Filtering with firewalld doesn't work
Thank you, can you give me a configuration example ?
Re: Filtering with firewalld doesn't work
Based on what you have, this might suffice:
Then you will have two active zones:
* builtin zone 'drop' that accepts nothing via eth0
* 'my_zone' that allows ssh from the sources that you did set
A source zone (my_zone) has higher priority than the interface zone (drop).
Code: Select all
nmcli con mod eth0 connection.zone drop
* builtin zone 'drop' that accepts nothing via eth0
* 'my_zone' that allows ssh from the sources that you did set
A source zone (my_zone) has higher priority than the interface zone (drop).
Re: Filtering with firewalld doesn't work
Thank you, now SSH restriction is working
How can i allow ICMP echo-reply from any IP ? Using a new zone ?
How can i allow ICMP echo-reply from any IP ? Using a new zone ?
Re: Filtering with firewalld doesn't work
Perhaps zone 'drop' is too strict after all.
If one of the builtin zones matches your requirements, then use it.
If close, just modify it. Otherwise, make a custom zone for eth0.
Fine-tuning ICMP rules:
https://access.redhat.com/documentation ... p_requests
If one of the builtin zones matches your requirements, then use it.
If close, just modify it. Otherwise, make a custom zone for eth0.
Fine-tuning ICMP rules:
https://access.redhat.com/documentation ... p_requests