Firewalld - Allow only few ip adresses - use two zones?

Question

I want to drop incoming communication unless it's from few IP adresses. Is it corect to put interface in one zone (drop) and drop everything (dont configure any services or ports...) and put those few allowed ip addresses to another zone (public) and alow only allowed ports for them? There will be no interface in zone public, only those ip adresses in source. Here is example:

[root@localhost]# firewall-cmd --list-all
drop (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@localhost]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 192.168.1.1
  services:
  ports: 443/tcp 443/udp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Please do not post pictures of text. Copy text as text and use formatting tools to highlight e.g. code. — Thomas, Feb 05 '20 at 07:49

score 0 · Accepted Answer · answered Feb 05 '20 at 08:04

0

I would leave the interface in zone public as is by default and the add the trusted addresses and ports to zone trusted. I believe this way the firewall configuration will be more intuitive.

answered Feb 05 '20 at 08:04

Krasi

96
3

But in general, this two zone concept is it a good solution? (I have zone drop set as default so I gues its not a big problem..) – SheldonCopper Feb 05 '20 at 08:35
In zone based firewalls this is the correct way to configure access to the services. – Krasi Feb 05 '20 at 09:29

Firewalld - Allow only few ip adresses - use two zones?

1 Answers1