On a linux networked machine, i would like to restrict the set of addresses on the "public" zone (firewalld concept), that are allowed to reach it. So the end result would be no other machine can access any port or protocol, except those explicitly allowed, sort of a mix of
--add-rich-rule='rule family="ipv4" source not address="192.168.56.120" drop'
--add-rich-rule='rule family="ipv4" source not address="192.168.56.105" drop'
The problem above is that this is not a real list, it will block everything since if its one address its blocked by not being the same as the other, generating an accidental "drop all" effect, how would i "unblock" a specific non contiguous set? does source accept a list of addresses? i have not see anything in my look at the docs or google result so far.
EDIT: I just created this:
# firewall-cmd --zone=encrypt --list-all
encrypt (active)
interfaces: eth1
sources: 192.168.56.120
services: ssh
ports: 6000/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
But i can still reach port 6000 from .123
my intention was that if a source is not listed, it should not be able to reach any service or port