With firewalld in RHEL/CentOS 7, when I add a source address to a zone and the
service(http) is not defined in that zone, I expect connection attempts from the source address for that service to be denied. Instead I'm finding that it is allowed.
Client machine:
Code:
[root@outsider2 ~]# ip a | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.100.200/24 brd 192.168.100.255 scope global eth0
[root@outsider2 ~]# curl http://server1
server1 web server
Server1 running firewalld
Code:
[root@server1 ~]# firewall-cmd --permanent --zone=work --list-all
work
interfaces:
sources: 192.168.100.200/24
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server1 ~]# firewall-cmd --permanent --list-all-zones | grep -B 2 '192.168.100.200/24'
work
interfaces:
sources: 192.168.100.200/24
[root@server1 ~]# tail -n1 /var/log/httpd/access_log
192.168.100.200 - - [10/Apr/2016:11:04:53 -0700] "GET / HTTP/1.1" 200 13 "-" "curl/7.29.0"
I thought that firewalld separated all incoming traffic into zones with each
zone having it's own set of rules. Then it followed this logic where the first
rule that matches wins:
1. If the source address of an incoming packet matches a source rule setup for a zone, that
packet will be routed though that zone.
2. If the incoming interface for a packet matches a filter setup for a zone, that zone. will be used.
3. Otherwise, the default zone is used. The default zone is not a separate zone; instead, it
points to one of the other zones defined on the system.
These are virtual machines but as far as I can tell this should not be a factor. (?)
FYI - the drop zone denies correctly. A rich rule denies correctly.
firewalld-0.3.9-7.el7.noarch
Red Hat Enterprise Linux Server release 7.0 (Maipo)
My searching has not enlightened me. Am I missing something?
Thanks for your time.
Gary