Perfect, thanks again Eric.

Steve


On Monday, November 16, 2020, 02:34:02 PM EST, Eric Garver <egarver@redhat.com> wrote:


On Mon, Nov 16, 2020 at 07:22:43PM +0000, Steve Frazier wrote:
>  Eric,
> I wanted to make sure I understand what you are suggesting below:
> 1. Are you saying to delete all files under /etc/firewalld ?    a. or just firewalld.conf and/or lockdown-whitelist.xm?

Delete the files in the directories, e.g. /etc/firewalld/zones/*.xml

Do _NOT_ delete firewalld.conf or lockdown-whitelist.xml.

>
> 2.  Then run the following commands to block out all traffic:
>
>  firewall-cmd --set-default-zone=block
>
> Will this "DROP" all traffic vs. "REJECT"?

Correct. DROP.

> firewall-cmd --permanent --zone trusted --add-source <ip_address>firewall-cmd --reload
> This will all access to all ports from what ever IP address that I add?

Yes. That's what you said you wanted.

> If I also would want to allow pings from anywhere what would I use there?

It would allow ping from those source IPs.

> If I want to allow say ftp from only an IP address would it be added to trusted as well and how would I do that?

You can create a special zone for the IP address. Or use a rich rule.
e.g.

    # firewall-cmd --zone <zone> --add-rich-rule='rule family=ipv4 source address="<addr>" service name="ftp" accept'

> I think that will do it for now, thanks again for your help and time.
> Steve
>
>
>
>    On Monday, November 16, 2020, 12:30:07 PM EST, Eric Garver <egarver@redhat.com> wrote: 

>  On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
> > I come from iptables (didn't know it well but enough to get by).  I am trying to learn firewalld now which appears to be much more powerful.
> > First of all I need some help, please.
> > I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
>
> You can remove the user configuration files in the directories
> `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
>
> > I would like to "DROP" all outside traffic I would then  like to  only allow all ports from (2) two IP addresses.
> > Could someone explain to me how to do this.
>
> 1. Make "block" or "reject" the default zone.
>
>     # firewall-cmd --set-default-zone=block
>
> 2. Then add your allowlist IPs to the trusted zone which allows
>   everything.
>
>     # firewall-cmd --permanent --zone trusted --add-source <ip_address>
>     # firewall-cmd --reload
>
> > My configuration only has:
> > (1) one public IP Address (ens3)
> > Thanks in advance.
> > Also, is there a good tutorial that would walk me through learning firewalld?  Thanks again for this as well.
> > Have a great day.
>
> The upstream website has some documentation:
>
>     https://firewalld.org/documentation/
>


> _______________________________________________
> firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org