All,
I'm trying to use firewall-cmd to set up firewallD.
I've got 2 interfaces
ens192 which is internet facing and I want to (currently) drop all incoming packets
ens224 which I want to only accept ssh and smtp packets all other packets should be rejected
To facilitate this I've created a new zone called inside, here's the /etc/firewalld/zones/inside.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<service name="smtp"/>
<service name="ssh"/>
</zone>
here's the relevant stanza from firewall-cmd --list-all-zones
inside (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens224
sources:
services: smtp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
So looking at that I would expect that should reject any incoming packet on ens224 that isn't on port 22 or 25. Problem is it doesn't. I've tried varying the target to ACCEPT and default; still nothing getting through. It's almost like ens224 isn't listening at all when firewalld is started(and yes i've checked the zone information in ifcfg-ens224).
Any idea what I'm missing? I've tried moving ens224 into trusted too but that has no effect either, it's almost like I've got to enable a link between firewalld and ens224 but where?
Pete
Firewalld interface issue
Re: Firewalld interface issue
All,
Forget it. I've come to the conclusion firewalld doesn't seem to like it when you go creating your own zones (which I did because the predefined zones didn't give me exactly what I wanted and there's limited functionality eg you can't renove ssh from DMZ; it comes back and tells you it's predefined). I'm going back to iptables, a bit retrograde I know but if the new stuff doesn't work I need to go back to what does. Maybe I'll get what I'm looking for in Centos 8.
Pete H
Forget it. I've come to the conclusion firewalld doesn't seem to like it when you go creating your own zones (which I did because the predefined zones didn't give me exactly what I wanted and there's limited functionality eg you can't renove ssh from DMZ; it comes back and tells you it's predefined). I'm going back to iptables, a bit retrograde I know but if the new stuff doesn't work I need to go back to what does. Maybe I'll get what I'm looking for in Centos 8.
Pete H
Re: Firewalld interface issue
If that's the case then I'd recommend you download the RHEL 8 beta and give it a test drive and provide your feedback. RH have decided that iptables is dead and that nftables should be the new way and that firewalld is the preferred way to use nftables. I have not yet tested it myself but I gather that there is an nftables-service[s] package so hopefully those of us that think firewalld is a toy don't have to use it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
hunter86_bg
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Firewalld interface issue
Maybe you can try to create your zone vie 'firewall-cmd' commands.
I'm not sure that your zone definition is completely correct and that could be the root cause.
Still I think firewalld is great for simple rules, while advanced features should be addressed via iptables and nftables respectfully.
I'm not sure that your zone definition is completely correct and that could be the root cause.
Still I think firewalld is great for simple rules, while advanced features should be addressed via iptables and nftables respectfully.
Re: Firewalld interface issue
RH Beta requires additional information beyond a simple developer login. One mandatory piece is a company name, a problem if you are currently not employed.