1

I can't get the services attaches to the block zone working for sources attached to those zones. I was wondering what the inteded purpose of source->zone<-service was..!

I was trying to use the default zone as the drop zone with few service enabled. It works fine. However, I want the ICMP rejects for packets coming from a network mask (ex 172.128.0.0/16), but drop everything else like above with a few service enabled. So I added the netmask to the sources list in block zone, and enabled the above services. But I cant get any services working for those source addresses..!

I am confused! help?

Ex.

block
  interfaces:
  sources: 172.128.0.0/16
  services: bacula bacula-client dhcpv6-client ssh http
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

drop (default, active)
  interfaces: em1
  sources: 
  services: bacula bacula-client dhcpv6-client ssh http
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
xcorat
  • 121
  • 6
  • It isn't blocking those services? That's strange, it should be. – Michael Hampton Jul 25 '15 at 14:45
  • It's supposed to block? I thought services added to drop zone are the ones allowed! (it is not blocking in `drop` zone, i should double check whether is works on `block` zone) – xcorat Jul 28 '15 at 15:02
  • No, everything you add to the `drop` and `block` zones is _dropped_ or _blocked_. – Michael Hampton Jul 28 '15 at 15:02
  • Nope, services added to `drop` zone is definitely allowed. And that makes sense, the default for drop zone is `-j DROP`, so there's no point in saying to drop extra services... – xcorat Jul 29 '15 at 23:45

0 Answers0