how to block incoming and outgoing connections with IP?
by Patrick Hinkley
Given an IP address, how can I prevent any connection both to and from that IP? If there are multiple methods, please describe the pros and cons of each.
I've found a lot of contradictory and confusing information about this online and in the documentation.
Thanks for any help!
8 years, 7 months
OpenConnect (443) vs firewalld
by Gottfried Haider
Hello all,
I was wondering if someone can point me in the right direction with this one:
When I start up the openconnect server (ocserv) on my server
automatically, I can't seem to connect from the client ("Failed to
connect to host", "Failed to open HTTPS connection"). It does work,
though, when I either start or restart ocserv when the server has
already been running, or when I disable firewalld from loading.
This is on a pretty normal Fedora 20 server (ocserv 0.8.4), which uses
the standalone ocserv.service (i.e. not socket-activated). Firewalld
has a permanent rule to open port 445.
The systemd serialization looks good to me: firewalld.service
completes before the network.target that ocserv.service depends on.
Any ideas?
Thanks
Gottfried
PS: Please CC me for replies.
9 years
Direct rules in direct.xml
by Sergio Villar Senin
Hi,
I had understood that direct rules stored in the direct.xml do survive
reloads/reboots. At least in my case (Debian 7 with firewalld 0.3.12)
that's not the case, meaning that after a reload no direct rules are
applied.
Is it a known issue? Is it working as expected? How should I proceed to
make the permanent? (and no, I cannot use rich rules in this case due to
the same reasons mentioned in [1]).
BR
[1] https://bugzilla.redhat.com/show_bug.cgi?id=892801
9 years
Using firewalld puppet module with multiple unrelated services
by Robin Bowes
Hi,
Suppose I have a set of profiles, each delivering a specific service to a
node. For example:
profile_lms - installs Logitech Media Server
profile_plex - installed plex
Each service requires a different set of ports to be opened on the node
firewall.
How can I make it so that adding a profile to a node results in any
firewalld::services defined in that profile being added to the same zone on
the node?
So, suppose profile_lms looks like this:
class profile_lms{
firewalld::service{'lms':
description => 'Logitech Media Server',
ports => [
# Logitech Media Server
{ port => '9000', protocol => 'tcp' },
{ port => '3483', protocol => 'tcp' },
{ port => '3483', protocol => 'udp' },
# LMS Spotify plugin
{ port => '9005', protocol => 'tcp' },
],
}
}
and profile_plex looks like this:
class profile_plex{
firewalld::service{'lms':
description => 'PLEX',
ports => [
{ port => '32400', protocol => 'tcp' },
],
}
}
And on the node in question, I include those nodes like this:
node 'media_server' {
include ::profile_lms
include ::profile_plex
}
I need to define the public zone, using something like:
firewalld::zone { 'public':
services => ['dhcpv6-client', 'ssh', 'lms', 'plex'],
}
Is there someway to "collect" all the services defined in the various
profiles and add them to the public zone? Or do I need to do this somewhat
differently and, say, define a new zone for each service?
R.
9 years, 1 month