Filtering with firewalld doesn't work

Support for security such as Firewalls and securing linux
Post Reply
charlie77
Posts: 3
Joined: 2019/06/11 09:02:15

Filtering with firewalld doesn't work

Post by charlie77 » 2019/06/11 09:07:35

I would like to restrict SSH access to few IP addresses.

# firewall-cmd --get-default-zone
my_zone

# firewall-cmd --list-all
my_zone (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources: ipset:my_ipset
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

# firewall-cmd --info-ipset=my_ipset
my_ipset
type: hash:ip
options:
entries: 10.1.1.1 10.2.2.2

But any IP can connect with SSH

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Filtering with firewalld doesn't work

Post by jlehtone » 2019/06/11 20:20:11

Every interface has a zone.

A package comes in.
If it is from 10.1.1.1 or 10.2.2.2, then it goes to zone my_zone that allows ssh.
Else it goes to interface eth0's zone my_zone that allows ssh.

Have two zones:
A has only the sources, but no interface, and allows ssh.
B is on interface eth0 and does not allow ssh.

charlie77
Posts: 3
Joined: 2019/06/11 09:02:15

Re: Filtering with firewalld doesn't work

Post by charlie77 » 2019/06/12 10:33:16

Thank you, can you give me a configuration example ?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Filtering with firewalld doesn't work

Post by jlehtone » 2019/06/13 13:49:59

Based on what you have, this might suffice:

Code: Select all

nmcli con mod eth0 connection.zone drop
Then you will have two active zones:
* builtin zone 'drop' that accepts nothing via eth0
* 'my_zone' that allows ssh from the sources that you did set

A source zone (my_zone) has higher priority than the interface zone (drop).

charlie77
Posts: 3
Joined: 2019/06/11 09:02:15

Re: Filtering with firewalld doesn't work

Post by charlie77 » 2019/06/13 14:10:22

Thank you, now SSH restriction is working

How can i allow ICMP echo-reply from any IP ? Using a new zone ?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Filtering with firewalld doesn't work

Post by jlehtone » 2019/06/13 17:31:34

Perhaps zone 'drop' is too strict after all.

If one of the builtin zones matches your requirements, then use it.
If close, just modify it. Otherwise, make a custom zone for eth0.

Fine-tuning ICMP rules:
https://access.redhat.com/documentation ... p_requests

Post Reply