Dear Eric,
thanks for your answers.
On Donnerstag, 8. November 2018 10:34:53 Eric Garver wrote:
On Tue, Nov 06, 2018 at 10:49:28PM +0100, Hans-Peter Jansen wrote:
On Dienstag, 6. November 2018 19:24:09 Hans-Peter Jansen wrote:
What I still not grok is the relationship between the different zones, and how overlapping and non-overlapping rules are handled?!?
Overlapping zones by sources is undefined. You should avoid creating zones with overlapping "sources".
Interfaces may only be bound to a _single_ zone.
Okay, things clear up.
This is, what I have now:
$ firewall-cmd --get-default-zone external
$ firewall-cmd --get-active-zones external interfaces: eth0 voip sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26
$ firewall-cmd --zone=external --permanent --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="172.16.123.0/24" service name="http" accept rule family="ipv4" source address="172.16.123.0/24" port port="4559" protocol="tcp" accept rule family="ipv4" source address="172.16.123.0/24" port port="19150" protocol="tcp" accept
$ firewall-cmd --zone=voip --permanent --list-all voip (active) target: default icmp-block-inversion: no interfaces: sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26 services: ports: 10000-10099/udp 15060/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Now, this behaves, how I would like it to, but I do have some overlapping sources, once in voip, and those in the external rich rules, and the whole thing starts to feel like I'm misusing the zones concepts again.
But hopefully, this demonstrates, what I'm after.
I'm about to combine these zones into external, using more rich rules, similar to those, that I'm using already, and changing the external target to drop.
Is that considered good practice?
Thanks, Pete