Thanks. That explains it. I thought they would be checked in a different order. I
solved this another way, by moving ntp to the public zone and deactivating internal by
removing the sources.
---
Chad Cordero
Information Technology Consultant
Enterprise & Cloud Services
Information Technology Services
California State University, San Bernardino
5500 University Pkwy
San Bernardino, CA 92407-2393
Main Line: 909/537-7677
Direct Line: 909/537-7281
Fax: 909/537-7141
http://support.csusb.edu/
---
Disclaimer: This e-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information protected from disclosure. If the reader
of this message is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly prohibited. If
you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer.
From: Thomas Woerner <twoerner(a)redhat.com>
Date: Thursday, April 20, 2017 at 1:58 AM
To: Firewalld users discussion list <firewalld-users(a)lists.fedorahosted.org>, Chad
Cordero <ccordero(a)csusb.edu>
Subject: Re: Trusted zone not working
Hello Chad,
On 04/19/2017 12:46 AM, Chad Cordero wrote:
For some reason my trusted host, a.b.249.25, (a.b represents my subnet) cannot access ssh.
Is there some limit to the number of zones I can have?
sh-4.2# firewall-cmd --version
0.4.3.2
sh-4.2# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: smtp submission
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
sh-4.2# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces:
sources: a.b.0.0/16
services: ntp
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
sh-4.2# firewall-cmd --zone=work --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces:
sources: a.b.111.0/24 a.b.75.64/27
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
sh-4.2# firewall-cmd --zone=trusted --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: a.b.141.137 a.b.249.25 a.b.249.254 a.b.75.66
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
There are overlapping sources. Right now firewalld is ordering zones by names
and this also affects the sources bindings of zones. The internal zone is
therefore handled before work and trusted.
To make your setup working you can simply rename internal to Z_internal to make
sure that it is handled last.
I am sorry, but code to order sources (subnets) according to the size of the
source has not been added to firewalld, yet.
Thomas
---
Chad Cordero
Information Technology Consultant
Enterprise & Cloud Services
Information Technology Services
California State University, San Bernardino
5500 University Pkwy
San Bernardino, CA 92407-2393
Main Line: 909/537-7677
Direct Line: 909/537-7281
Fax: 909/537-7141
http://support.csusb.edu/
---
Disclaimer: This e-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information protected from disclosure. If the reader
of this message is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly prohibited. If
you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer.
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org