0

I'm running the latest version of CentOS 7 (kernel version 3.10.0-1062.4.1.el7.x86_64) I have specified a custom firewalld zone, in which I have specified a port and a source ipset. I am expecting that both of these criteria should be applied. However, I am able to connect to the system (from an allowed source IP), but from a different port. Is this how the zone configuration is supposed to work?

Here is my zone config:

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <port port="8080" protocol="tcp"/>
  <source ipset="authorized-ips"/>
</zone>

Here is my ipset config:

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
  <!-- Bob's system -->
  <entry>192.168.123.123</entry>
  <!-- Bill's system -->
  <entry>192.168.123.124</entry>
</ipset>

If I connect using port 8008 or 8009, then I am still able to access the application via apache. But I have not explicitly allowed these ports through the firewall!

The output of running: firewall-cmd --list-all --zone=ACCEPT

Error: INVALID_ZONE: ACCEPT

swami
  • 145
  • 4

1 Answers1

0

It's unusual to edit firewalld this way. Can you post output from firewall-cmd --list-all --zone=ACCEPT - this way we'd know how your config was parsed and implemented by the daemon.

J D
  • 163
  • 1
  • 9
  • Have added the response to the original question. (Could you tell me why it is unusual to manage firewalld this way, and what would be a more appropriate way to achieve the same thing) – swami Mar 09 '20 at 07:30