CentOS

All,
I'm trying to use firewall-cmd to set up firewallD.
I've got 2 interfaces
ens192 which is internet facing and I want to (currently) drop all incoming packets
ens224 which I want to only accept ssh and smtp packets all other packets should be rejected

To facilitate this I've created a new zone called inside, here's the /etc/firewalld/zones/inside.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<service name="smtp"/>
<service name="ssh"/>
</zone>

here's the relevant stanza from firewall-cmd --list-all-zones

inside (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens224
sources:
services: smtp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

So looking at that I would expect that should reject any incoming packet on ens224 that isn't on port 22 or 25. Problem is it doesn't. I've tried varying the target to ACCEPT and default; still nothing getting through. It's almost like ens224 isn't listening at all when firewalld is started(and yes i've checked the zone information in ifcfg-ens224).

Any idea what I'm missing? I've tried moving ens224 into trusted too but that has no effect either, it's almost like I've got to enable a link between firewalld and ens224 but where?

Pete

All,
Forget it. I've come to the conclusion firewalld doesn't seem to like it when you go creating your own zones (which I did because the predefined zones didn't give me exactly what I wanted and there's limited functionality eg you can't renove ssh from DMZ; it comes back and tells you it's predefined). I'm going back to iptables, a bit retrograde I know but if the new stuff doesn't work I need to go back to what does. Maybe I'll get what I'm looking for in Centos 8.

Pete H

If that's the case then I'd recommend you download the RHEL 8 beta and give it a test drive and provide your feedback. RH have decided that iptables is dead and that nftables should be the new way and that firewalld is the preferred way to use nftables. I have not yet tested it myself but I gather that there is an nftables-service[s] package so hopefully those of us that think firewalld is a toy don't have to use it.

Maybe you can try to create your zone vie 'firewall-cmd' commands.
I'm not sure that your zone definition is completely correct and that could be the root cause.
Still I think firewalld is great for simple rules, while advanced features should be addressed via iptables and nftables respectfully.

RH Beta requires additional information beyond a simple developer login. One mandatory piece is a company name, a problem if you are currently not employed.