The important thing is that trusted and drop are both (active) and drop has your public interface.And for the Whitelist IP addresses all the ports should be accessible.You can make a further assessment by reading redhats suggestions on choosing a zone.This is conceptual, I have not tested it (further than seeing that centos 7 accepts the command), but, should be easy enough to do a pcap and see if it behaves how youd expect.
But how do I drop all other IPs except the one that I added using sources. Thanks regarding the upvote, I understand, if an answer works, consider accepting an answer. I fail to find clear explanation in the documentation, but from the implemented behaviour it looks like that. You will have a range of open ports for the whitelist subnet as requested. And of course use --permanent option in --add-xxx statements to make the behaviour stick. The most crucial part is the explanation that setting an interface broadens the access (in case sources are set). I had a problem that the ports were accessible even though I had sources whitelist. Or change default zone to another: block or drop (this is common practice). Firewalld provides you with a few pre-configured zones, just for this purpose. Theres one called drop, which drops anything coming in, and one called trusted, which allows any connection (ie, so you shouldnt even need to open individual ports, I think). The trick is getting the right zone to trigger for what you want. We dont want any public services available, right Only the whitelisted IPs are authorized. I cant reply to his answer because I dont have the requisite rep points yet so Ill explain here. He is tying networks to that zone and then opening ports on that zone. So his --add-source commands make no difference and his --add-port commands have now allowed the whole world to access those ports. You want to create a separate zone, tie your networkIPs to that zone, and open the ports in that zone. After testing that your rule is working, run it again with --perm appended so that it is remembered on subsequent firewalld reloads. The trusted zone has a default target: ACCEPT while the rest are target: default. While it really does not matter it appears to be the intended method due to its name and default target value.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |