Firewalld not blocking incoming requests

vmxes · 06-06-2016, 01:45 PM

Hello,

I use CentOS and just changed my firewalld settings to use drop zone and allow incoming traffic only from some IP ranges.
I think my setup is not correct as I can still access my server from anywhere.
What did I wrong?

My setup:

Code:

firewall-cmd --get-active-zones                                                                    drop
  interfaces: enp1s0

Code:

firewall-cmd --state
running

Code:

firewall-cmd --zone=drop --list-all
drop (default, active)
  interfaces: enp1s0
  sources:
  services:
  ports: 8080/tcp 80/tcp 8888/tcp 22/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="180.76.0.0/16" accept
        rule family="ipv4" source address="46.107.0.0/16" accept
        rule family="ipv4" source address="188.6.0.0/16" accept
        rule family="ipv4" source address="178.48.0.0/16" accept
        rule family="ipv4" source address="84.0.0.0/16" accept
        rule family="ipv4" source address="84.2.0.0/16" accept

custangro · 06-06-2016, 04:15 PM

Try adding a rich rule to drop all other traffic

vmxes · 06-06-2016, 04:29 PM

Do you mean adding the rule below at the end?

Code:

firewall-cmd --zone=drop --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" reject'

custangro · 06-06-2016, 04:31 PM

Yes, test that out and see if that's the behavior you want.

vmxes · 06-06-2016, 04:50 PM

Unfortunately if I add the reject rule it kills my accept rules and I can not connect to the server

vmxes · 06-07-2016, 03:24 AM

Now it seems I have found the solution. I removed all port entries and add only specific rich rules.
Now my config looks like this:

Code:

firewall-cmd --list-all
drop (default, active)
  interfaces: enp1s0
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.0/16" port port="22" protocol="tcp" accept
        ...