firewall-cmd - adding 0.0.0.0/0 as a source in one zone blocks more specific access in another zone

Question

I have two firewalld zones configured as follows:

zone: ssh-access
source: 1.2.3.4
ports: 9999/tcp

zone: other-access
source: 5.6.7.8
ports: 8888/tcp

We temporarily want to unrestrict access to the ssh-access zone on port 9999/tcp so we replace the source so that zone is configured as follows:

zone: ssh-access
source: 0.0.0.0/0
ports: 9999/tcp

This has the desired effect for the ssh-access zone.

However, once we do that, the source 5.6.7.8 for zone other-access fails to communicate over port 8888/tcp until the 0.0.0.0/0 source for ssh-access is reverted back to its original value.

I feel like I'm overlooking something simple...

tl;dr: we want to allow any source to communicate over port 9999/tcp but keep it restricted to the defined source for port 8888/tcp.

score 0 · Accepted Answer · answered Feb 15 '22 at 17:44

So, perhaps somewhat obviously, this does what I want it to do.

firewall-cmd --zone=public --add-port=9999/tcp

It means I don't have to change anything in the ssh-access zone, and the public zone won't interfere with anything.

Going to call this solved now.

firewall-cmd - adding 0.0.0.0/0 as a source in one zone blocks more specific access in another zone

1 Answers1