Firewalld - what am I doing wrong (allow port from single source, block same port for everyone else)

Question

I need port 1270/tcp open for SCOM monitoring. So, I've created a new zone 020_scom (since I know alphabetic ordering can cause preference issues... I make mine with digits beginning the names)

Then added the port 1270/tcp and my single source ip x.y.z.a/32 (and another test host) to the same zone (everything with --permanent) and then a --reload after it's all done.

I get:

020_scom (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 1.2.3.4/32 2.3.1.2/32
  services:
  ports: 1270/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

and then adding the same port to the block zone:

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports: 80/tcp 443/tcp 1270/tcp 6082/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

However, I'm getting 'FINAL_REJECT:' from my SCOM host (or the second one there 2.3.1.2 - my other test host)

I tried deleting the port from the block zone, but still no-deal... being rejected.

Is there something simple that I'm doing wrong?

Answer 1

After reading all your steps I can tell you the following.

As you comment, if you want to add an IP and a port in a new zone, it was done great as you show us, but adding the same port in the block zone is a conflict for the firewalld service.

It is not recommendable to add twice IPs or ports in different zones because, as in this case, the rules can do the opposite and reject each other.

If you don’t set any IP on “sources: ” you are allowed access to all the IPs that sent a request for the machine by the port setting on “ports: ” on the zone. However, if you are mentioned an IP you are delimiting the inputs only for that single IP, or, if that is the case, a segment.

So as you show us, you try to allow 2 IPs for a specific port but also decline all the petition requests to the same port. To solve this issue, it is needed to remove the port from the “block” zone, you can do it with the nexts commands.

firewall-cmd --zone=block --remove-port=1270/tcp --permanent

firewall-cmd --reload

BR.