centos 7 firewalld not selectively allowing traffic into ssh
Hello,
This is a centos 7 system sitting out in front of a firewall for...reasons.
it has one ethernet port and one ip address, non rfc1918. i am making changes on the commandline console.
First, my ultimate goal is the following connection policy:
zone=drop
allow inbound traffic to ssh port ONLY from a known set of ip addresses.
allow all traffic to a set of udp/tcp ports.
So if I use "zone=drop" only, I am not allowed to connect via the network in any way.
firewall-cmd --zone=drop
-- this is good
if i add the ssh service to zone=drop, i am able to login. From anywhere.
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --complete-reload
-- this matches expected behaviour
BUT: if I try to add the following, I am still able to ssh in from anywhere.
firewall-cmd --permanent --zone=drop --add-source=<my company address>
firewall-cmd --complete-reload
The output of firewall-cmd --list-all shows:
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: ens192
sources: <my company address>
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports;
icmp-blocks:
rich rules:
I was under the impression that the "--add-source" stanza implied connections to services on this zone were going to be allowed and all others blocked.
am I wrong?
I have even tried using a rich rule: "rule family=ipv4 service name=ssh source <company ip> accept"
but this still allows anyone to ssh into this system.
I am probably going to try a --direct rule injection into iptables.
Thank you for your time
--jason
|