Dear All
I am new to firewalld so I probably do not have understand all.
I have a firewall with 3 interfaces: external connected to wan,
internal connected to lan and dmz connected to a server which host web
server, mail server (fixed IP 192.168.8.3).
Firewalld configuration is as follow:
firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: enx000ec68f6b7d
sources:
services: dhcp dhcpv6-client dns http https imap imaps mdns nfs ntp
pop3 pop3s smtp smtps ssh ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enxb827ebe2899e
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.8.3
port=443:proto=tcp:toport=:toaddr=192.168.8.3
port=143:proto=tcp:toport=:toaddr=192.168.8.3
port=993:proto=tcp:toport=:toaddr=192.168.8.3
port=995:proto=tcp:toport=:toaddr=192.168.8.3
port=110:proto=tcp:toport=:toaddr=192.168.8.3
port=25:proto=tcp:toport=:toaddr=192.168.8.3
port=465:proto=tcp:toport=:toaddr=192.168.8.3
port=587:proto=tcp:toport=:toaddr=192.168.8.3
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=dmz --list-all
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enx00e04c36084a
sources:
services: dhcp dns ntp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
From a computer in the LAN, I can ping the DMZ server but I cannot ssh
into it.
FINAL_REJECT: IN=enx000ec68f6b7d OUT=enx00e04c36084a
MAC=00:0e:c6:8f:6b:7d:30:85:a9:0e:22:56:08:00 SRC=192.168.65.14
DST=192.168.8.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32158 DF PROTO=TCP
SPT=32770 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
If I turn off Firewalld I can ssh into it. This means I have done a
mistake in my configuration but I did not find it.
After reading docs and trying different things, including rich-rule like
firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source
address="192.168.65.0/24" accept'
I am still stucked.
Could someone point me in the right direction ?
--
Jack.R
Show replies by date