Thanks.  That explains it.  I thought they would be checked in a different order.  I solved this another way, by moving ntp to the public zone and deactivating internal by removing the sources.

 


---
Chad Cordero
Information Technology Consultant

Enterprise & Cloud Services

Information Technology Services

California State University, San Bernardino
5500 University Pkwy
San Bernardino, CA 92407-2393
Main Line: 909/537-7677

Direct Line: 909/537-7281

Fax: 909/537-7141

http://support.csusb.edu/

 

---

Disclaimer: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

 

From: Thomas Woerner <twoerner@redhat.com>
Date: Thursday, April 20, 2017 at 1:58 AM
To: Firewalld users discussion list <firewalld-users@lists.fedorahosted.org>, Chad Cordero <ccordero@csusb.edu>
Subject: Re: Trusted zone not working

 

Hello Chad,

 

On 04/19/2017 12:46 AM, Chad Cordero wrote:

For some reason my trusted host, a.b.249.25, (a.b represents my subnet) cannot access ssh.  Is there some limit to the number of zones I can have?

sh-4.2# firewall-cmd --version

0.4.3.2

sh-4.2# firewall-cmd --zone=public --list-all

public (active)

    target: default

    icmp-block-inversion: no

    interfaces: ens33

    sources:

    services: smtp submission

    ports:

    protocols:

    masquerade: no

    forward-ports:

    sourceports:

    icmp-blocks:

    rich rules:

sh-4.2# firewall-cmd --zone=internal --list-all

internal (active)

    target: default

    icmp-block-inversion: no

    interfaces:

    sources: a.b.0.0/16

    services: ntp

    ports:

    protocols:

    masquerade: no

    forward-ports:

    sourceports:

    icmp-blocks:

    rich rules:

sh-4.2# firewall-cmd --zone=work --list-all

work (active)

    target: default

    icmp-block-inversion: no

    interfaces:

    sources: a.b.111.0/24 a.b.75.64/27

    services: ssh

    ports:

    protocols:

    masquerade: no

    forward-ports:

    sourceports:

    icmp-blocks:

    rich rules:

sh-4.2# firewall-cmd --zone=trusted --list-all

trusted (active)

    target: ACCEPT

    icmp-block-inversion: no

    interfaces:

    sources: a.b.141.137 a.b.249.25 a.b.249.254 a.b.75.66

    services:

    ports:

    protocols:

    masquerade: no

    forward-ports:

    sourceports:

    icmp-blocks:

    rich rules:

 

There are overlapping sources. Right now firewalld is ordering zones by names

and this also affects the sources bindings of zones. The internal zone is

therefore handled before work and trusted.

 

To make your setup working you can simply rename internal to Z_internal to make

sure that it is handled last.

 

I am sorry, but code to order sources (subnets) according to the size of the

source has not been added to firewalld, yet.

 

Thomas

 

---

Chad Cordero

Information Technology Consultant

Enterprise & Cloud Services

Information Technology Services

California State University, San Bernardino

5500 University Pkwy

San Bernardino, CA 92407-2393

Main Line: 909/537-7677

Direct Line: 909/537-7281

Fax: 909/537-7141

http://support.csusb.edu/

---

Disclaimer: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

_______________________________________________

firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org

To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org