Hello Chad,
On 04/19/2017 12:46 AM, Chad Cordero wrote:
For some reason my trusted host, a.b.249.25, (a.b represents my
subnet) cannot access ssh. Is there some limit to the number of zones I can have?
sh-4.2# firewall-cmd --version
0.4.3.2
sh-4.2# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: smtp submission
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
sh-4.2# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces:
sources: a.b.0.0/16
services: ntp
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
sh-4.2# firewall-cmd --zone=work --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces:
sources: a.b.111.0/24 a.b.75.64/27
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
sh-4.2# firewall-cmd --zone=trusted --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: a.b.141.137 a.b.249.25 a.b.249.254 a.b.75.66
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
There are overlapping sources. Right now firewalld is ordering zones by names
and this also affects the sources bindings of zones. The internal zone is
therefore handled before work and trusted.
To make your setup working you can simply rename internal to Z_internal to make
sure that it is handled last.
I am sorry, but code to order sources (subnets) according to the size of the
source has not been added to firewalld, yet.
Thomas
>
>
> ---
> Chad Cordero
> Information Technology Consultant
> Enterprise & Cloud Services
> Information Technology Services
> California State University, San Bernardino
> 5500 University Pkwy
> San Bernardino, CA 92407-2393
> Main Line: 909/537-7677
> Direct Line: 909/537-7281
> Fax: 909/537-7141
>
http://support.csusb.edu/
>
> ---
> Disclaimer: This e-mail message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information protected from disclosure. If the
reader of this message is not the intended recipient, or an employee or agent responsible
for delivering this message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly prohibited. If
you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer.
>
>
>
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
>