I have a server in the dmz with an ip of 192.168.10.50. I want to block it so if it is hacked that nobody can get into the rest of the 192.168.10.x/24 network.
How would I properly jail that server in the DMZ so if it is broken into nobody can enter the rest of the dmz network.
The hard part is I of course don't want to block access to the router or the gateway because packets want to be able to go out to the other networks/internet.
Firewalld
Re: Firewalld
Can't you just filter based on the source address using the rich language in firewalld?
Re: Firewalld
I guess. That is what I am trying to find out. I am new to firewalld.
I tried something like
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.250.50" destination address="192.168.250.0/24" reject' but it complains I don't have an element. Also how do I properly make sure it is not blocking to destination 192.168.250.1. Are rich rules ordered base? Like can I then add a similar rule of firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.250.50" destination address="192.168.250.1" accept'
When I add a rich rule does it create an implicit deny also?
I tried something like
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.250.50" destination address="192.168.250.0/24" reject' but it complains I don't have an element. Also how do I properly make sure it is not blocking to destination 192.168.250.1. Are rich rules ordered base? Like can I then add a similar rule of firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.250.50" destination address="192.168.250.1" accept'
When I add a rich rule does it create an implicit deny also?
Re: Firewalld
All things must be ordered in some manner - it's the nature of computing the main problem is that the order may or may not be what you think it is/should be.
I suggest you have a look at https://fedoraproject.org/wiki/Features ... chLanguage - it's the best resource I've come across about rich syntax.
I suggest you have a look at https://fedoraproject.org/wiki/Features ... chLanguage - it's the best resource I've come across about rich syntax.