I'm trying to setup firewalld
for the first time. I have two types of rules I'd like to add:
- Rules which only allow traffic on specific ports with certain sources.
- Rules which allow ALL traffic from specific sources.
So lets say I create a new zone called "myZone". I want to allow ALL traffic from 10.95.0.0/16
, but only LDAP related traffic from 10.96.59.23
.
So I add the sources to "myZone":
firewall-cmd --permanent --zone=myZone --add-source=10.95.0.0/16
firewall-cmd --permanent --zone=myZone --add-source=10.96.59.23
Now its time to add the LDAP port which I want to allow traffic on:
firewall-cmd --zone=myZone --add-port=389/tcp
However, what will this do exactly? I imagine this is being applied for all sources in "myZone"? I want to restrict 10.96.59.23
to LDAP traffic only, but allow ANY traffic for 10.95.0.0/16
. I have a feeling I'm missing something fundamental here.
Theoretically I thought I could create two zones, lets say "workstationZone" and "ldapZone". I can then assign port 389 to "ldapZone". However, I can't seem to get multiple zones assigned to a single interface.
# firewall-cmd --zone workstationZone --add-interface ens32 --permanent
success
# firewall-cmd --zone ldapZone --add-interface ens32 --permanent
success
#firewall-cmd --get-active-zones
workstationZone
interfaces: ens32
sources: 10.95.0.0/16
ldapZone
sources: 10.96.59.23
I was hoping in the above that my "ens32" interface would be added to both zones.
Another option I see is using "rich rules", however there seems to be a lot of recommendations to avoid using them due to them being difficult to maintain.
Again, I feel like I'm missing something totally fundamental, but even after reading a couple guides, I'm just not getting it. If anyone can help set me straight, it would be much appreciated.