On 11/6/2018 10:24 AM, Hans-Peter Jansen wrote:
Unfortunately, I still haven't figured out, how to limit a certain service to a couple of source addresses, namely I would like to accept connections on 15060/udp from internal and selected external sources only: e.g. 172.16.123.0/24 and 213.167.161.0/26. It might be possible with ipsets, but no example shows, how to use that as a white list with the destination port requirement.
I have this in direct.xml:
<passthrough ipv="ipv4">-I INPUT 1 -p tcp -m multiport --dports ssh,submission,465,pop3,pop3s,imap,imaps,sieve -m set --match-set BanList src -m conntrack --ctstate NEW -j DROP</passthrough>
BanList is the ipset list of address blocks not allowed to use my authenticated services. Create the ipset first using firewall-cmd or by creating /etc/firewalld/ipsets/BanList.xml with suitable contents.