Page 1 of 1
Filtering with firewalld doesn't work
Posted: 2019/06/11 09:07:35
by charlie77
I would like to restrict SSH access to few IP addresses.
# firewall-cmd --get-default-zone
my_zone
# firewall-cmd --list-all
my_zone (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources: ipset:my_ipset
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --info-ipset=my_ipset
my_ipset
type: hash:ip
options:
entries: 10.1.1.1 10.2.2.2
But any IP can connect with SSH
Re: Filtering with firewalld doesn't work
Posted: 2019/06/11 20:20:11
by jlehtone
Every interface has a zone.
A package comes in.
If it is from 10.1.1.1 or 10.2.2.2, then it goes to zone my_zone that allows ssh.
Else it goes to interface eth0's zone my_zone that allows ssh.
Have two zones:
A has only the sources, but no interface, and allows ssh.
B is on interface eth0 and does not allow ssh.
Re: Filtering with firewalld doesn't work
Posted: 2019/06/12 10:33:16
by charlie77
Thank you, can you give me a configuration example ?
Re: Filtering with firewalld doesn't work
Posted: 2019/06/13 13:49:59
by jlehtone
Based on what you have, this might suffice:
Code: Select all
nmcli con mod eth0 connection.zone drop
Then you will have two active zones:
* builtin zone 'drop' that accepts nothing via eth0
* 'my_zone' that allows ssh from the sources that you did set
A source zone (my_zone) has higher priority than the interface zone (drop).
Re: Filtering with firewalld doesn't work
Posted: 2019/06/13 14:10:22
by charlie77
Thank you, now SSH restriction is working
How can i allow ICMP echo-reply from any IP ? Using a new zone ?
Re: Filtering with firewalld doesn't work
Posted: 2019/06/13 17:31:34
by jlehtone
Perhaps zone 'drop' is too strict after all.
If one of the builtin zones matches your requirements, then use it.
If close, just modify it. Otherwise, make a custom zone for eth0.
Fine-tuning ICMP rules:
https://access.redhat.com/documentation ... p_requests