Disclaimer: It's the first time I use firewalld, be gentle 🙂 .
I have a CentOS machine and I want to implement the following requirements using firewalld:
- Allow connections from anywhere to ports 1, 2, 3, 4.
- Allow connections to port 5 only from IP addresses IP1, IP2 and IP3
- Completely block connections to port 6, from anywhere.
So I did this:
- added the ports 1, 2, 3 and 4 to the
publiczone - added port 5 and IP addresses IP1, IP2 and IP3 to zone
trusted
Now the zones look like this:
public (active)
target: default
icmp-block-inversion: no
interfaces: eno12345
sources:
services: ssh dhcpv6-client
ports: 1/tcp 2/tcp 3/tcp 4/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: IP1 IP2 IP3
services:
ports: 5/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Note: public is the default zone.
So the first 2 rules seem to be applied correctly.
However I got stuck with the final rule (completely block port 6). I tried multiple solutions and none seem to work.
1). What should I do to apply this?
2). How come I can connect through port 6 even though it's not explicitly listed as allowed in the firewalld configuration? No rule about it is added in iptables either.
Best Answer
The way I solved it is I added a rich rule in the
trustedzone:From what I know, rich rules are applied first. It seems to be working correctly in my case.