I am trying to get a handle on firewalld... I can't actually see right off how to limit access to services to certain sources. For example, on a single-interface server, I want to limit access to SSH and SNMP to some "management" networks. With iptables, I might have:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :mgmt - [0:0]
-A INPUT -i lo -j ACCEPT -A INPUT -p tcp --syn --dport http -j ACCEPT -A INPUT -p tcp --syn --dport ssh -j mgmt -A INPUT -p udp --dport snmp -j mgmt
-A mgmt -s 10.0.0.0/24 -j ACCEPT -A mgmt -s 10.1.0.0/24 -j ACCEPT -A mgmt -p tcp -j REJECT --reject-with tcp-reset -A mgmt -j DROP
That means a couple of subnets can reach whatever management services I declare, the rest of the network cannot, and HTTP is just wide open.
I set a bunch of different documents talking about assigning interfaces and services to zones, but nothing that tells me how to use those zones to do something useful.
On 17/04/18 20:12, Chris Adams wrote:
I am trying to get a handle on firewalld... I can't actually see right off how to limit access to services to certain sources. For example, on a single-interface server, I want to limit access to SSH and SNMP to some "management" networks. With iptables, I might have:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :mgmt - [0:0]
-A INPUT -i lo -j ACCEPT -A INPUT -p tcp --syn --dport http -j ACCEPT -A INPUT -p tcp --syn --dport ssh -j mgmt -A INPUT -p udp --dport snmp -j mgmt
-A mgmt -s 10.0.0.0/24 -j ACCEPT -A mgmt -s 10.1.0.0/24 -j ACCEPT -A mgmt -p tcp -j REJECT --reject-with tcp-reset -A mgmt -j DROP
That means a couple of subnets can reach whatever management services I declare, the rest of the network cannot, and HTTP is just wide open.
I set a bunch of different documents talking about assigning interfaces and services to zones, but nothing that tells me how to use those zones to do something useful.
Here's how I'd set up limited access to SSH and SNMP
firewall-cmd --permanent --add-source=10.0.0.0/24 --zone=trusted firewall-cmd --permanent --add-source=10.1.0.0/24 --zone=trusted firewall-cmd --permanent --zone=trusted --add-service=ssh --add-service=snmp firewall-cmd --permanent --zone=public --remove-service=ssh --remove-service=snmp firewall-cmd --reload
The 'zone=public' bit, that's my internet facing zone, to figure out which zones are allowing what, run
firewall-cmd --list-all-zones
and adjust the commands I posted accordingly to add / remove anything
Hope this helps