Hello,

This is a centos 7 system sitting out in front of a firewall for...reasons.

it has one ethernet port and one ip address, non rfc1918. i am making changes on the commandline console.

First, my ultimate goal is the following connection policy:
zone=drop
allow inbound traffic to ssh port ONLY from a known set of ip addresses.
allow all traffic to a set of udp/tcp ports.

So if I use "zone=drop" only, I am not allowed to connect via the network in any way.
firewall-cmd --zone=drop
-- this is good

if i add the ssh service to zone=drop, i am able to login. From anywhere.
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --complete-reload
-- this matches expected behaviour

BUT: if I try to add the following, I am still able to ssh in from anywhere.
firewall-cmd --permanent --zone=drop --add-source=<my company address>
firewall-cmd --complete-reload

The output of firewall-cmd --list-all shows:

drop (active)
target: DROP
icmp-block-inversion: no
interfaces: ens192
sources: <my company address>
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports;
icmp-blocks:
rich rules:


I was under the impression that the "--add-source" stanza implied connections to services on this zone were going to be allowed and all others blocked.

am I wrong?

I have even tried using a rich rule: "rule family=ipv4 service name=ssh source <company ip> accept"
but this still allows anyone to ssh into this system.

I am probably going to try a --direct rule injection into iptables.

Thank you for your time

--jason