On 2020-06-17 04:23, Eric Garver wrote:
On Wed, Jun 17, 2020 at 03:34:32AM +0800, Ed Greshko wrote:
> On 2020-06-17 03:23, Eric Garver wrote:
>> If you've recently updated firewalld check for AllowZoneDrifting in
/etc/firewalld/firewalld.conf.
>>
>> Based on the bits of info you gave above you may have been unknowingly
making use of undesired behavior.
>> See this blog post for further information:
>>
>> Â Â Â Â https://firewalld.org/2020/01/allowzonedrifting
>>
>> Hope that helps.
>
> No difference when set to "yes". :-(
Can you show you're firewalld configuration?
# firewall-cmd --list-all-zones
I wonder if you have port forwarding (e.g. 22 -> foo) on the firewalld node. That
would hijack the SSH connection attempt.
Just for refresher....
[egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: enp2s0 wlp4s0
And then....
[egreshko@meimei ~]$ sudo firewall-cmd --list-all-zones
FedoraServer
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
FedoraWorkstation
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns mountd nfs nfs3 rpc-bind samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dhcp dhcpv6 dns mountd nfs nfs3 rpc-bind ssh
ports:
protocols: icmp ipv6-icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns
ports:
protocols: icmp ipv6-icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0 wlp4s0
sources:
services: dhcpv6-client dns kdeconnect mdns mountd nfs nfs3 rpc-bind samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: