I have following configuration on centos 7.7.
Looking for allowing only limited IP set and blocking rest.
Going the rich rule way on public zone sounded simple. Removed ssh service and added required ip using rich rule. It seems to have started working fine. Most of spam ssh stopped. But when I restart the server, for a brief period IPs outside of the allowed list are able to reach the server. I restarted server multiple times and I could see the pattern repeated. The blocked IPs are able to reach for a period of around 2-3 minutes after reboot and then stops.
[root@ABC ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
[root@ABC ~]# firewall-cmd --get-default-zone
public
[root@ABC ~]# firewall-cmd --get-active-zones
(Nothing)
[root@ABC ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.2.3.4" service name="ssh" accept
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
How the blocked IPs are able to reach with firewalld running ?
Best Answer
Your firewall doesn't look properly configured. I would add a new zone called trusted. Then add service ssh and the source IPs that need to access the server on SSH. Then in the zone public add all your services that need to be public and add the interface eth0 to that zone. I believe this is the the proper way to configure a zone based firewall.