Re: Dynamically block certain ip addresses

Dear Eric, thanks for your answers. On Donnerstag, 8. November 2018 10:34:53 Eric Garver wrote: Okay, things clear up. This is, what I have now: $ firewall-cmd --get-default-zone external $ firewall-cmd --get-active-zones external interfaces: eth0 voip sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26 $ firewall-cmd --zone=external --permanent --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="172.16.123.0/24" service name="http" accept rule family="ipv4" source address="172.16.123.0/24" port port="4559" protocol="tcp" accept rule family="ipv4" source address="172.16.123.0/24" port port="19150" protocol="tcp" accept $ firewall-cmd --zone=voip --permanent --list-all voip (active) target: default icmp-block-inversion: no interfaces: sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26 services: ports: 10000-10099/udp 15060/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Now, this behaves, how I would like it to, but I do have some overlapping sources, once in voip, and those in the external rich rules, and the whole thing starts to feel like I'm misusing the zones concepts again. But hopefully, this demonstrates, what I'm after. I'm about to combine these zones into external, using more rich rules, similar to those, that I'm using already, and changing the external target to drop. Is that considered good practice? Thanks, Pete