Still new to firewalld and nftables.
I created a custom zone named ssh-admins, and had two source subnets, 10.251.0.0/24 and 10.100…0.0/24.
I then removed the 10.100.0.0/24, as shown below, made it permanent, and rebooted, but I can still ssh in from a 10.100.0.0/24 subnet, what am I missing here?
ssh-admins (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources: 10.251.0.0/24
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I have also removed ssh from the public zone
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
IF packet is from 10.251.0.0/24
OR packet came in via ens192
THEN it is in zone ssh-admins
In other words, if the ens192 is your only interface, then everything is in zone ssh-admins.
You do want the ens192 to be in some other zone, like your ‘public’.
This is all FirewallD; actual rules in kernel would be equivalent whether the backend is netfilter or nf-tables.
Currently and for the foreseeable future it will only have ens192.
So for the below, what is the point in source IP if it ignores it?
IF packet is from 10.251.0.0/24 10.100.0.0/24
OR packet came in via ens192
THEN it is in zone ssh-admins
This what I orginally had before removing the 10.100.0.0/24 subnet
ssh-admins (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources: 10.251.0.0/24 10.100.0.0/24
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Do I need to set the target to DROP for ssh-admins?
No, you want something like:
ssh-admins (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 10.251.0.0/24
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Thanks for the advice, I now have this and works great.
Created new zone named management
Remove sources and services from public
Add sources and services to management
End result looked like this:
public (active)
target: default
interfaces: ens192
sources:
services:
management (active)
target: default
interfaces:
sources: 10.251.0.0/24
services: cockpit ssh
And
firewall-cmd --list-all
firewall-cmd --new-zone=management --permanent
firewall-cmd --reload
firewall-cmd --list-all
firewall-cmd --get-zones
firewall-cmd --zone=management --add-source=10.251.0.0/24 --permanent
firewall-cmd --reload
firewall-cmd --zone=management --add-service=ssh --permanent
firewall-cmd --zone=management --add-service=cockpit --permanent
firewall-cmd --reload
firewall-cmd --list-all-zones
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=cockpit
firewall-cmd --reload
firewall-cmd --list-all-zones
firewall-cmd --runtime-to-permanent