I'm hoping someone can enlighten me on what might be going on with firewalld.
I block possible attacks from the server. I use rich rules to do so and I've even tested blocking a specific IP but not the whole CIDR. However, when I know I do not care for that network to reach me I usually block by CIDR. The example of rich rule
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="120.52.0.0/16" drop'
then
firewall-cmd --reload
I did this by looking up ip 120.52.96.164 with https://www.countryipblocks.net/ that can provide me the CIDR.
With the example above, I had already blocked this CIDR, but there was an FTPD attempt with an IP in this network.
Jul 29 01:20:26 domain.ca proftpd[2250]: 0.0.0.0 (120.52.96.164[120.52.96.164]) - SSH2 session opened.
Jul 29 01:20:29 virtual.smbservices.ca proftpd[2250]: 0.0.0.0 (120.52.96.164[120.52.96.164]) - USER root (Login failed): Incorrect password
Jul 29 01:20:29 domain.ca proftpd[2250]: 0.0.0.0 (120.52.96.164[120.52.96.164]) - SSH2 session closed.
So I went to the site and looked up the IP and got the CIDR that was already in the firewalld rich rules with error
Warning: ALREADY_ENABLED: rule family="ipv4" source address="120.52.0.0/16" drop
How could it be they were able to attempt a connect to ftpd instead of being dropped as my rich rule was already there for that network?
