Firewalld interface issue

Support for security such as Firewalls and securing linux
Post Reply
PeteH
Posts: 6
Joined: 2018/12/20 17:34:39

Firewalld interface issue

Post by PeteH » 2019/01/10 17:13:21

All,
I'm trying to use firewall-cmd to set up firewallD.
I've got 2 interfaces
ens192 which is internet facing and I want to (currently) drop all incoming packets
ens224 which I want to only accept ssh and smtp packets all other packets should be rejected

To facilitate this I've created a new zone called inside, here's the /etc/firewalld/zones/inside.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<service name="smtp"/>
<service name="ssh"/>
</zone>

here's the relevant stanza from firewall-cmd --list-all-zones

inside (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens224
sources:
services: smtp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

So looking at that I would expect that should reject any incoming packet on ens224 that isn't on port 22 or 25. Problem is it doesn't. I've tried varying the target to ACCEPT and default; still nothing getting through. It's almost like ens224 isn't listening at all when firewalld is started(and yes i've checked the zone information in ifcfg-ens224).

Any idea what I'm missing? I've tried moving ens224 into trusted too but that has no effect either, it's almost like I've got to enable a link between firewalld and ens224 but where?

Pete

PeteH
Posts: 6
Joined: 2018/12/20 17:34:39

Re: Firewalld interface issue

Post by PeteH » 2019/01/15 17:28:13

All,
Forget it. I've come to the conclusion firewalld doesn't seem to like it when you go creating your own zones (which I did because the predefined zones didn't give me exactly what I wanted and there's limited functionality eg you can't renove ssh from DMZ; it comes back and tells you it's predefined). I'm going back to iptables, a bit retrograde I know but if the new stuff doesn't work I need to go back to what does. Maybe I'll get what I'm looking for in Centos 8.

Pete H

User avatar
TrevorH
Forum Moderator
Posts: 24322
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld interface issue

Post by TrevorH » 2019/01/16 01:01:37

If that's the case then I'd recommend you download the RHEL 8 beta and give it a test drive and provide your feedback. RH have decided that iptables is dead and that nftables should be the new way and that firewalld is the preferred way to use nftables. I have not yet tested it myself but I gather that there is an nftables-service package so hopefully those of us that think firewalld is a toy don't have to use it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply