On 8/19/2017 3:42 AM, Kenneth Porter wrote:
Instead of a direct rule, create a zone that drops always and specify
that zone's source as the ipset.
I've discovered a problem with this, and I think it's involved with
firewalld's definition of "source".
On my gateway I created an ipset of address blocks that should not be
allowed to connect to my gateway and added it as a source to a drop
zone. (Outbound connections to those addresses should be allowed.) The
firewall is now dropping all packets from internal clients to external
clients in this range. Ie. packets in which the destination address, not
the source address, is in the ipset!
What does firewalld mean by "source"? Doesn't it mean that the address
is only checked in the source field?
I'm using firewalld-0.4.4.4-6.el7.noarch in CentOS 7.