3

I would appreciate some assistance with configuring firewalld please. Here's a bit of background. All I want to do is prevent all access- except whitelisted IP addresses to a web application running on https.

I have done much googling. learnt a number of things but none has worked yet. Here's what I have done:

  1. I can tell firewalld is running

    # systemctl status firewalld

firewalld.service - firewalld - dynamic     firewall daemon    Loaded: loaded
(/usr/lib/systemd/system/firewalld.service; enabled)    Active: active
(running)

also with

    # firewall-cmd –state
    running

  1. I have the default zones

    # firewall-cmd --get-zones
block dmz drop external home internal public trusted work

  2. My active zones include:

    # firewall-cmd --get-active-zones
public
sources: 192.72.0.193 192.72.0.0/22 94.27.256.190

  3. My default zone is public:

    # firewall-cmd --get-default-zone
public

  4. The details of public are:

    public (default)   
interfaces:   
sources: 192.72.0.193 192.72.0.0/22 94.27.256.190   
services: http https ssh   
ports:   
masquerade: no   
forward-ports:   
icmp-blocks:   
rich rules:

My understanding is that the configuration for public zone above will restrict only grant to requests from any of the specified IP addresses. However, when I try accessing https://www.example.com from an IP outside the listed, it allows it.

dawud
  • 14,918
  • 3
  • 41
  • 61
pi.
  • 239
  • 3
  • 9

1 Answers1

3

one option is to remove the service: https from the zone

firewall-cmd --zone=public --remove-service=https

and then use what is known as rich rules to specify what sources [IP addresses] may access what service [such as http and https] like so:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.0/24" service name="https" log prefix="https" level="info" accept'

might need to reload though

pi.
  • 239
  • 3
  • 9