On Monday, November 16, 2020, 02:34:02 PM EST, Eric Garver <egarver@redhat.com> wrote:
On Mon, Nov 16, 2020 at 07:22:43PM +0000, Steve Frazier wrote:
> Eric,
> I wanted to make sure I understand what you are suggesting below:
> 1. Are you saying to delete all files under /etc/firewalld ?  a. or just firewalld.conf and/or lockdown-whitelist.xm?
Delete the files in the directories, e.g. /etc/firewalld/zones/*.xml
Do _NOT_ delete firewalld.conf or lockdown-whitelist.xml.
>
> 2. Then run the following commands to block out all traffic:
>
> Â firewall-cmd --set-default-zone=block
>
> Will this "DROP" all traffic vs. "REJECT"?
Correct. DROP.
> firewall-cmd --permanent --zone trusted --add-source <ip_address>firewall-cmd --reload
> This will all access to all ports from what ever IP address that I add?
Yes. That's what you said you wanted.
> If I also would want to allow pings from anywhere what would I use there?
It would allow ping from those source IPs.
> If I want to allow say ftp from only an IP address would it be added to trusted as well and how would I do that?
You can create a special zone for the IP address. Or use a rich rule.
e.g.
# firewall-cmd --zone <zone> --add-rich-rule='rule family=ipv4 source address="<addr>" service name="ftp" accept'
> I think that will do it for now, thanks again for your help and time.
> Steve
>
>
>
> On Monday, November 16, 2020, 12:30:07 PM EST, Eric Garver <
egarver@redhat.com> wrote:
>
> On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
> > I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful.
> > First of all I need some help, please.
> > I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
>
> You can remove the user configuration files in the directories
> `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
>
> > I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses.
> > Could someone explain to me how to do this.
>
> 1. Make "block" or "reject" the default zone.
>
> Â Â # firewall-cmd --set-default-zone=block
>
> 2. Then add your allowlist IPs to the trusted zone which allows
> Â everything.
>
> Â Â # firewall-cmd --permanent --zone trusted --add-source <ip_address>
> Â Â # firewall-cmd --reload
>
> > My configuration only has:
> > (1) one public IP Address (ens3)
> > Thanks in advance.
> > Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well.
> > Have a great day.
>
> The upstream website has some documentation:
>
> Â Â
https://firewalld.org/documentation/>
>
> _______________________________________________
> firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org> To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org_______________________________________________
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.orgTo unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.orgFedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org