Page 1 of 1

Filtering with firewalld doesn't work

Posted: 2019/06/11 09:07:35
by charlie77
I would like to restrict SSH access to few IP addresses.

# firewall-cmd --get-default-zone
my_zone

# firewall-cmd --list-all
my_zone (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources: ipset:my_ipset
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

# firewall-cmd --info-ipset=my_ipset
my_ipset
type: hash:ip
options:
entries: 10.1.1.1 10.2.2.2

But any IP can connect with SSH

Re: Filtering with firewalld doesn't work

Posted: 2019/06/11 20:20:11
by jlehtone
Every interface has a zone.

A package comes in.
If it is from 10.1.1.1 or 10.2.2.2, then it goes to zone my_zone that allows ssh.
Else it goes to interface eth0's zone my_zone that allows ssh.

Have two zones:
A has only the sources, but no interface, and allows ssh.
B is on interface eth0 and does not allow ssh.

Re: Filtering with firewalld doesn't work

Posted: 2019/06/12 10:33:16
by charlie77
Thank you, can you give me a configuration example ?

Re: Filtering with firewalld doesn't work

Posted: 2019/06/13 13:49:59
by jlehtone
Based on what you have, this might suffice:

Code: Select all

nmcli con mod eth0 connection.zone drop
Then you will have two active zones:
* builtin zone 'drop' that accepts nothing via eth0
* 'my_zone' that allows ssh from the sources that you did set

A source zone (my_zone) has higher priority than the interface zone (drop).

Re: Filtering with firewalld doesn't work

Posted: 2019/06/13 14:10:22
by charlie77
Thank you, now SSH restriction is working

How can i allow ICMP echo-reply from any IP ? Using a new zone ?

Re: Filtering with firewalld doesn't work

Posted: 2019/06/13 17:31:34
by jlehtone
Perhaps zone 'drop' is too strict after all.

If one of the builtin zones matches your requirements, then use it.
If close, just modify it. Otherwise, make a custom zone for eth0.

Fine-tuning ICMP rules:
https://access.redhat.com/documentation ... p_requests