I spent a couple hours today attempting to setup a firewall rule for SSH access. I have multiple custom zones as shown below. I've changed most of the IP addresses for security reasons.
firewall-cmd --get-active-zones
web-zone
interfaces: eth0
sources: 160.1.100.0/21 10.0.0.0/8 194.1.1.0/24
ssh
sources: 194.1.1.3
admin
sources: 160.1.1.3
etranscripts
sources: 55.164.111.101 55.164.84.100
web-zone (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 160.1.100.0/21 10.0.0.0/8 194.1.1.0/24
services:
ports: 9060/tcp 9070/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
ssh (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 194.1.1.3
services:
ports: 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
From these rules, one would think that I could ssh into the server from 194.1.1.3, but I can't. Stranger still, if I change the zone that the network interface is bound to, I can ssh into the server.
[root@dev-banapp03 ~]# firewall-cmd --remove-interface=eth0 --zone=web-zone --permanent
The interface is under control of NetworkManager, setting zone to default.
success
[root@dev-banapp03 ~]# firewall-cmd --add-interface=eth0 --zone=ssh --permanent
The interface is under control of NetworkManager, setting zone to 'ssh'.
success
[root@dev-banapp03 ~]# firewall-cmd --get-active-zones
web-zone
sources: 160.1.100.0/21 10.0.0.0/8 194.1.1.0/24
ssh
interfaces: eth0
sources: 194.1.1.3
admin
sources: 160.1.1.3
etranscripts
sources: 55.164.111.101 55.164.84.100
Obviously, there is some kind of order applied to the zone evaluation, but I don't know what it is, and I haven't found any good articles on it. Can anyone here tell me what's going on?
~ Bob
