Dear Eric,
thanks for your answers.
On Donnerstag, 8. November 2018 10:34:53 Eric Garver wrote:
On Tue, Nov 06, 2018 at 10:49:28PM +0100, Hans-Peter Jansen wrote:
> On Dienstag, 6. November 2018 19:24:09 Hans-Peter Jansen wrote:
>
>
> What I still not grok is the relationship between the different zones, and
> how overlapping and non-overlapping rules are handled?!?
Overlapping zones by sources is undefined. You should avoid creating
zones with overlapping "sources".
Interfaces may only be bound to a _single_ zone.
Okay, things clear up.
This is, what I have now:
$ firewall-cmd --get-default-zone
external
$ firewall-cmd --get-active-zones
external
interfaces: eth0
voip
sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26
$ firewall-cmd --zone=external --permanent --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services:
ports: 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.16.123.0/24" service
name="http" accept
rule family="ipv4" source address="172.16.123.0/24" port
port="4559" protocol="tcp" accept
rule family="ipv4" source address="172.16.123.0/24" port
port="19150" protocol="tcp" accept
$ firewall-cmd --zone=voip --permanent --list-all
voip (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26
services:
ports: 10000-10099/udp 15060/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Now, this behaves, how I would like it to, but I do have some overlapping
sources, once in voip, and those in the external rich rules, and the whole
thing starts to feel like I'm misusing the zones concepts again.
But hopefully, this demonstrates, what I'm after.
I'm about to combine these zones into external, using more rich rules,
similar to those, that I'm using already, and changing the external target
to drop.
Is that considered good practice?
Thanks,
Pete