2

As I asked it on this topic's comments: block all but a few ips with firewalld

I'm looking for a way to deny all public IPs except for mine on the public zone of firewalld.

For now, my public zone just have ssh/http/https services and I have specified sources IP has required all over the internet.

The thing is that I don't get why firewalld is not filtering the source IPs as requested?

Normally, from what I understand, specifing to the zone the source IPs ask Firewalld to drop all requests excepts those coming from the specified IPs.

But on my box it's not working as I'm able to connect on the machine from home which is not one of the specified source IPs.

Some suggest to create a new zone named "Internal/Other" the thing is that I only have one public interface as the server is not on a private lan, so why should I create/use another zone as the public zone should drop all IPs except those specified on the source list.

Does Firewalld Public zone make the services added on it open to the world automatically?

If I create a second zone named internal, with only the ssh service and sources IPs, and then link this zone to my eth0, will firewalld block all not "sourced" IPs ?

Of course doing such a process will suppose that I remove ssh service from the public zone served services.

My firewall is:

[root@groot ~]# firewall-cmd --list-all-zones
block
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

dmz
  interfaces:
  sources:
  services: ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

drop (default)
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

external
  interfaces:
  sources:
  services: ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

home
  interfaces:
  sources:
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

internal (active)
  interfaces: eth0
  sources: 192.168.0.0/24
  services: ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

public
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

trusted
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

work
  interfaces:
  sources:
  services: dhcpv6-client ipp-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
Dr I
  • 943
  • 16
  • 33

1 Answers1

7

This looks like your problem:

internal (active)
  interfaces: eth0
  sources: 192.168.0.0/24

If you specify both interfaces and source IP addresses for a zone, then that zone matches for traffic from either the interface or the source IP addresses.

If you want the zone to match for only source IP addresses, remove the interface from it.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Ok, thank you very much for your help, I'm now able to block and manage my FirewallD as intended. I now understand the purpose of the zones and the interface binding. So if I correctly understand you can have a case where someone with the intended IP coming on a second NIC is still allowed to access the service if you don't specify that the second nic should reject it (don't have source matching or zone binding)? – Dr I Jul 21 '15 at 18:31
  • You'll want to make sure you have the [reverse path filter](http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html) on (it is by default). This is separate from the firewall and covers obviously wrong traffic coming in the wrong interface. – Michael Hampton Jul 21 '15 at 18:34
  • Thank you very much for those informations, I do know about rp_filter kernel switch but your doc was useful because I didn't know that a logging facility existed regarding this topic. – Dr I Jul 22 '15 at 10:43