how to block incoming and outgoing connections with IP?
by Patrick Hinkley
Given an IP address, how can I prevent any connection both to and from that IP? If there are multiple methods, please describe the pros and cons of each.
I've found a lot of contradictory and confusing information about this online and in the documentation.
Thanks for any help!
8 years, 8 months
Actions only enforced in certain zones?
by Chris Bell
Hi all,
I'm having an incredibly frustrating time getting firewalld to function
properly, and it seems to come down to peculiar behavior regarding rules
and zones.
My box is connected to 3 networks: two internal and one public. The two
internal networks are bridged and routed properly: with firewalld
completely disabled, all traffic back-and-forth across the networks is
properly routed. When I enabled firewalld and added the bridge (and both
actual interfaces) to the 'trusted' zone, routing suddenly broke. All ssh
connections were being forwarded to one specific machine on the network for
any address in either internal subnet. I tried various fixes, but nothing
worked until: I moved the interfaces from 'trusted' to 'internal'. Now they
route properly, and internet traffic is correctly routed via the public
network (via NAT/masquerade).
Then the second quirk: I wanted to block ICMP echo requests from the
external network. At the time, I had the NIC connected to the public
network in the 'external' zone. When I added the icmp-block for
echo-request and echo-reply, and tried pinging that IP, the pings returned
fine. I added every single supported ICMP block, and even tried blocking
them with rich rules, but nothing worked. Until: I moved the interface from
'external' to 'public'.
So, my question is, what gives? The documentation is... very vague about
how, exactly, these zones are treated by firewalld's internal mechanics.
Inter-NIC routing doesn't work in TRUSTED. ICMP blocks only work in PUBLIC.
I've tested this extensively on my box, with consistent results. Am I
missing something?
$ firewall-cmd --version
0.3.14.2
Thanks in advance!
Chris
--
Chris Bell
PGP Key ID: 63949CD7
Ph.D. Candidate, Teaching Assistant, Gentleman, Scholar, Penguin Wrangler
University of South Florida
College of Engineering
Department of Computer Science and Engineering
NarMOS Research Team, Official Daemon Charmer
PGP Public Key: http://narmos.org/~cwbell/63949CD7.pub.gpg.asc
Fingerprint: 26EB C946 AAB6 76BE 476E F96D FF34 7DC9 6394 9CD7
8 years, 9 months
remote connect with vpn
by Samuel Irlapati
Hi Everyone,
I hope you guys can help me out with what i am trying to accomplish.
I have the following config
[root@Router log]# firewall-cmd --get-active-zones
VPN
interfaces: tun0
external
interfaces: p2p1
internal
interfaces: p6p1
[root@Router log]# firewall-cmd --zone=VPN --list-all
VPN (active)
interfaces: tun0
sources:
services:
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@Router log]# firewall-cmd --zone=external --list-all
external (active)
interfaces: p2p1
sources:
services: http https ssh
ports: 2012/tcp
masquerade: yes
forward-ports: port=2082:proto=tcp:toport=22:toaddr=192.168.13.108
port=2072:proto=tcp:toport=22:toaddr=192.168.13.107
port=5000-5020:proto=tcp:toport=5000-5020:toaddr=192.168.13.104
port=2052:proto=tcp:toport=22:toaddr=192.168.13.105
port=2092:proto=tcp:toport=22:toaddr=192.168.13.109
port=2042:proto=tcp:toport=22:toaddr=192.168.13.104
port=2062:proto=tcp:toport=22:toaddr=192.168.13.106
port=5000-5020:proto=udp:toport=5000-5020:toaddr=192.168.13.104
port=2022:proto=tcp:toport=22:toaddr=192.168.13.102
icmp-blocks:
rich rules:
[root@Router log]# firewall-cmd --zone=internal --list-all
internal (default, active)
interfaces: p6p1
sources:
services: Viber dhcp dhcpv6-client dns google-services hangouts http
https ipp-client mdns samba-client ssh vnc-server
ports: 2032/tcp 3126/tcp 3127/tcp 8080/tcp 10000/tcp 3128/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@Router log]#
When VPN is not connected i am able to connect from a remote location
because of all the port forwardings that are defined in the external
zone. When the VPN is connected, they dont work. I was wondering if any
of you could help me out to get the port forwarding in the external zone
to work even when VPN is connected.
sam
8 years, 9 months