On 8/19/2017 3:42 AM, Kenneth Porter wrote:
Instead of a direct rule, create a zone that drops always and specify that zone's source as the ipset.
I've discovered a problem with this, and I think it's involved with firewalld's definition of "source".
On my gateway I created an ipset of address blocks that should not be allowed to connect to my gateway and added it as a source to a drop zone. (Outbound connections to those addresses should be allowed.) The firewall is now dropping all packets from internal clients to external clients in this range. Ie. packets in which the destination address, not the source address, is in the ipset!
What does firewalld mean by "source"? Doesn't it mean that the address is only checked in the source field?
I'm using firewalld-0.4.4.4-6.el7.noarch in CentOS 7.