3

Ever since i used Centos i was using iptables with a custom firewall script to parse rules. But since Centos 7 firewalld is the new default. Which is fine with me, time to move on.

Anyway, i think that the docs of firewalld are poorly written and with a few examples.

So my question is pretty simple, but i will illustrate what i want to achieve.

I have a server with two interfaces. One interface is connected to the internet the other is an internal network. All traffic on the internal interface is allowed, so i added it to the trusted zone. So far so good.

My default way of thinking is, all traffic is blocked except for it's serving purpose (http, https in my case). For maintenance and back ups ssh should be open for a few ip addresses.

I was thinking to use a custom service to create a rule for ssh, but this does not work because services don't accept a source tag. So how should i proceed? I would like to create a file where i can define my exceptions (ssh for one ip, http for all etc.) so i can copy them to other servers.

Thanks in advance!

Metalmini
  • 109
  • 1
  • 4

2 Answers2

1

I also have this problem recently but I was able to add access to http and https services. But I had the problem of ssh services limiting to a source address. This is my work around.

First Add the interface to the public zone then

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --add-rich-rule='rule family="ipv4" source address="x.x.x.x" service name="ssh" log prefix="ssh" level="info" accept'
sudo firewall-cmd --reload

The source address can be a range, just specify the subnet

Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip/range.

Any better solution please add.

I answered it on my question at

Using Firewall-cmd to create address specific restrictions in centos 7

Community
  • 1
lawrence Da
  • 121
  • 1
  • 7
1

I don't know if it is the "best" way of doing this but I did it by adding a new zone. You can put source addresses in zones. So make a management zone and add the sources addresses, services, and ports you want. Since I need to do this fairly often I just keep the zone xml file and drop it into each new server I spin up.

For example. In the /etc/firewalld/zones directory make a file called mgt.xml or whatever you want to call your zone. Then do something like this:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Management</short>
  <description>The services to manage the server and the ip addressees to manage it from.</description>
  <source address="2001:0DB8::/64"/>
  <source address="192.168.0.5"/>
  <service name="ssh"/>
  <port protocol="tcp" port="10000"/>
</zone>

You will then need to restart firewalld.

I actually use this same method to modify other zones as well. If you put a public.xml or drop.xml into that same folder you will override the default settings for those zone. I have 4 xml files I drop into firewalld as part of my setup procedure for any new server to give me a safe starting point for the firewall.

Just an FYI, you can do all of this using firewall-cmd but I find dropping the xml files in faster when building out new servers.

Mark
  • 106
  • 2