Firewalld interface issue
Posted: 2019/01/10 17:13:21
All,
I'm trying to use firewall-cmd to set up firewallD.
I've got 2 interfaces
ens192 which is internet facing and I want to (currently) drop all incoming packets
ens224 which I want to only accept ssh and smtp packets all other packets should be rejected
To facilitate this I've created a new zone called inside, here's the /etc/firewalld/zones/inside.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<service name="smtp"/>
<service name="ssh"/>
</zone>
here's the relevant stanza from firewall-cmd --list-all-zones
inside (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens224
sources:
services: smtp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
So looking at that I would expect that should reject any incoming packet on ens224 that isn't on port 22 or 25. Problem is it doesn't. I've tried varying the target to ACCEPT and default; still nothing getting through. It's almost like ens224 isn't listening at all when firewalld is started(and yes i've checked the zone information in ifcfg-ens224).
Any idea what I'm missing? I've tried moving ens224 into trusted too but that has no effect either, it's almost like I've got to enable a link between firewalld and ens224 but where?
Pete
I'm trying to use firewall-cmd to set up firewallD.
I've got 2 interfaces
ens192 which is internet facing and I want to (currently) drop all incoming packets
ens224 which I want to only accept ssh and smtp packets all other packets should be rejected
To facilitate this I've created a new zone called inside, here's the /etc/firewalld/zones/inside.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<service name="smtp"/>
<service name="ssh"/>
</zone>
here's the relevant stanza from firewall-cmd --list-all-zones
inside (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens224
sources:
services: smtp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
So looking at that I would expect that should reject any incoming packet on ens224 that isn't on port 22 or 25. Problem is it doesn't. I've tried varying the target to ACCEPT and default; still nothing getting through. It's almost like ens224 isn't listening at all when firewalld is started(and yes i've checked the zone information in ifcfg-ens224).
Any idea what I'm missing? I've tried moving ens224 into trusted too but that has no effect either, it's almost like I've got to enable a link between firewalld and ens224 but where?
Pete