LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewalld not blocking incoming requests (https://www.linuxquestions.org/questions/linux-security-4/firewalld-not-blocking-incoming-requests-4175581589/)

vmxes 06-06-2016 01:45 PM
Firewalld not blocking incoming requests
 
Hello,

I use CentOS and just changed my firewalld settings to use drop zone and allow incoming traffic only from some IP ranges.
I think my setup is not correct as I can still access my server from anywhere.
What did I wrong?

My setup:
Code:
firewall-cmd --get-active-zones                                                                    drop
  interfaces: enp1s0
Code:
firewall-cmd --state
running
Code:
firewall-cmd --zone=drop --list-all
drop (default, active)
  interfaces: enp1s0
  sources:
  services:
  ports: 8080/tcp 80/tcp 8888/tcp 22/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="180.76.0.0/16" accept
        rule family="ipv4" source address="46.107.0.0/16" accept
        rule family="ipv4" source address="188.6.0.0/16" accept
        rule family="ipv4" source address="178.48.0.0/16" accept
        rule family="ipv4" source address="84.0.0.0/16" accept
        rule family="ipv4" source address="84.2.0.0/16" accept

custangro 06-06-2016 04:15 PM
Try adding a rich rule to drop all other traffic

vmxes 06-06-2016 04:29 PM
Do you mean adding the rule below at the end?

Code:
firewall-cmd --zone=drop --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" reject'

custangro 06-06-2016 04:31 PM
Yes, test that out and see if that's the behavior you want.

vmxes 06-06-2016 04:50 PM
Unfortunately if I add the reject rule it kills my accept rules and I can not connect to the server :(

vmxes 06-07-2016 03:24 AM
Now it seems I have found the solution. I removed all port entries and add only specific rich rules.
Now my config looks like this:

Code:
firewall-cmd --list-all
drop (default, active)
  interfaces: enp1s0
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.0/16" port port="22" protocol="tcp" accept
        ...


All times are GMT -5. The time now is 01:30 PM.