Ever since i used Centos i was using iptables with a custom firewall script to parse rules. But since Centos 7 firewalld is the new default. Which is fine with me, time to move on.
Anyway, i think that the docs of firewalld are poorly written and with a few examples.
So my question is pretty simple, but i will illustrate what i want to achieve.
I have a server with two interfaces. One interface is connected to the internet the other is an internal network. All traffic on the internal interface is allowed, so i added it to the trusted zone. So far so good.
My default way of thinking is, all traffic is blocked except for it's serving purpose (http, https in my case). For maintenance and back ups ssh should be open for a few ip addresses.
I was thinking to use a custom service to create a rule for ssh, but this does not work because services don't accept a source tag. So how should i proceed? I would like to create a file where i can define my exceptions (ssh for one ip, http for all etc.) so i can copy them to other servers.
Thanks in advance!
Best Answer
I also have this problem recently but I was able to add access to http and https services. But I had the problem of ssh services limiting to a source address. This is my work around.
First Add the interface to the public zone then
The source address can be a range, just specify the subnet
Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip/range.
Any better solution please add.
I answered it on my question at
Using Firewall-cmd to create address specific restrictions in centos 7