I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful. First of all I need some help, please. I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following: I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses. Could someone explain to me how to do this. My configuration only has: (1) one public IP Address (ens3) Thanks in advance. Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well. Have a great day.
On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful. First of all I need some help, please. I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
You can remove the user configuration files in the directories `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses. Could someone explain to me how to do this.
1. Make "block" or "reject" the default zone.
# firewall-cmd --set-default-zone=block
2. Then add your allowlist IPs to the trusted zone which allows everything.
# firewall-cmd --permanent --zone trusted --add-source <ip_address> # firewall-cmd --reload
My configuration only has: (1) one public IP Address (ens3) Thanks in advance. Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well. Have a great day.
The upstream website has some documentation:
Thanks very much, I will give it a try. I appreciate your help.
On Monday, November 16, 2020, 12:30:07 PM EST, Eric Garver egarver@redhat.com wrote:
On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful. First of all I need some help, please. I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
You can remove the user configuration files in the directories `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses. Could someone explain to me how to do this.
1. Make "block" or "reject" the default zone.
# firewall-cmd --set-default-zone=block
2. Then add your allowlist IPs to the trusted zone which allows everything.
# firewall-cmd --permanent --zone trusted --add-source <ip_address> # firewall-cmd --reload
My configuration only has: (1) one public IP Address (ens3) Thanks in advance. Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well. Have a great day.
The upstream website has some documentation:
Eric, I wanted to make sure I understand what you are suggesting below: 1. Are you saying to delete all files under /etc/firewalld ? a. or just firewalld.conf and/or lockdown-whitelist.xm?
2. Then run the following commands to block out all traffic:
firewall-cmd --set-default-zone=block
Will this "DROP" all traffic vs. "REJECT"? firewall-cmd --permanent --zone trusted --add-source <ip_address>firewall-cmd --reload This will all access to all ports from what ever IP address that I add? If I also would want to allow pings from anywhere what would I use there? If I want to allow say ftp from only an IP address would it be added to trusted as well and how would I do that? I think that will do it for now, thanks again for your help and time. Steve
On Monday, November 16, 2020, 12:30:07 PM EST, Eric Garver egarver@redhat.com wrote:
On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful. First of all I need some help, please. I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
You can remove the user configuration files in the directories `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses. Could someone explain to me how to do this.
1. Make "block" or "reject" the default zone.
# firewall-cmd --set-default-zone=block
2. Then add your allowlist IPs to the trusted zone which allows everything.
# firewall-cmd --permanent --zone trusted --add-source <ip_address> # firewall-cmd --reload
My configuration only has: (1) one public IP Address (ens3) Thanks in advance. Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well. Have a great day.
The upstream website has some documentation:
On Mon, Nov 16, 2020 at 07:22:43PM +0000, Steve Frazier wrote:
Eric, I wanted to make sure I understand what you are suggesting below:
- Are you saying to delete all files under /etc/firewalld ?  a. or just firewalld.conf and/or lockdown-whitelist.xm?
Delete the files in the directories, e.g. /etc/firewalld/zones/*.xml
Do _NOT_ delete firewalld.conf or lockdown-whitelist.xml.
2. Then run the following commands to block out all traffic:
 firewall-cmd --set-default-zone=block
Will this "DROP" all traffic vs. "REJECT"?
Correct. DROP.
firewall-cmd --permanent --zone trusted --add-source <ip_address>firewall-cmd --reload This will all access to all ports from what ever IP address that I add?
Yes. That's what you said you wanted.
If I also would want to allow pings from anywhere what would I use there?
It would allow ping from those source IPs.
If I want to allow say ftp from only an IP address would it be added to trusted as well and how would I do that?
You can create a special zone for the IP address. Or use a rich rule. e.g.
# firewall-cmd --zone <zone> --add-rich-rule='rule family=ipv4 source address="<addr>" service name="ftp" accept'
I think that will do it for now, thanks again for your help and time. Steve
On Monday, November 16, 2020, 12:30:07 PM EST, Eric Garver <egarver@redhat.com> wrote:
On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
I come from iptables (didn't know it well but enough to get by).ÃÂ I am trying to learn firewalld now which appears to be much more powerful. First of all I need some help, please. I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
You can remove the user configuration files in the directories `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
I would like to "DROP" all outside traffic I would thenÃÂ like toÃÂ only allow all ports from (2) two IP addresses. Could someone explain to me how to do this.
- Make "block" or "reject" the default zone.
  # firewall-cmd --set-default-zone=block
- Then add your allowlist IPs to the trusted zone which allows
 everything.
  # firewall-cmd --permanent --zone trusted --add-source <ip_address>   # firewall-cmd --reload
My configuration only has: (1) one public IP Address (ens3) Thanks in advance. Also, is there a good tutorial that would walk me through learning firewalld?ÃÂ Thanks again for this as well. Have a great day.
The upstream website has some documentation:
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Perfect, thanks again Eric. Steve
On Monday, November 16, 2020, 02:34:02 PM EST, Eric Garver egarver@redhat.com wrote:
On Mon, Nov 16, 2020 at 07:22:43PM +0000, Steve Frazier wrote:
Eric, I wanted to make sure I understand what you are suggesting below:
- Are you saying to delete all files under /etc/firewalld ?  a. or just firewalld.conf and/or lockdown-whitelist.xm?
Delete the files in the directories, e.g. /etc/firewalld/zones/*.xml
Do _NOT_ delete firewalld.conf or lockdown-whitelist.xml.
2. Then run the following commands to block out all traffic:
 firewall-cmd --set-default-zone=block
Will this "DROP" all traffic vs. "REJECT"?
Correct. DROP.
firewall-cmd --permanent --zone trusted --add-source <ip_address>firewall-cmd --reload This will all access to all ports from what ever IP address that I add?
Yes. That's what you said you wanted.
If I also would want to allow pings from anywhere what would I use there?
It would allow ping from those source IPs.
If I want to allow say ftp from only an IP address would it be added to trusted as well and how would I do that?
You can create a special zone for the IP address. Or use a rich rule. e.g.
# firewall-cmd --zone <zone> --add-rich-rule='rule family=ipv4 source address="<addr>" service name="ftp" accept'
I think that will do it for now, thanks again for your help and time. Steve
On Monday, November 16, 2020, 12:30:07 PM EST, Eric Garver egarver@redhat.com wrote: On Mon, Nov 16, 2020 at 02:56:42PM +0000, Steve Frazier wrote:
I come from iptables (didn't know it well but enough to get by). I am trying to learn firewalld now which appears to be much more powerful. First of all I need some help, please. I would like to remove all the rules and zones since I have probably messed up my installation so far and do the following:
You can remove the user configuration files in the directories `/etc/firewalld/*/`. Do firewalld.conf or lockdown-whitelist.xml files.
I would like to "DROP" all outside traffic I would then like to only allow all ports from (2) two IP addresses. Could someone explain to me how to do this.
- Make "block" or "reject" the default zone.
  # firewall-cmd --set-default-zone=block
- Then add your allowlist IPs to the trusted zone which allows
 everything.
  # firewall-cmd --permanent --zone trusted --add-source <ip_address>   # firewall-cmd --reload
My configuration only has: (1) one public IP Address (ens3) Thanks in advance. Also, is there a good tutorial that would walk me through learning firewalld? Thanks again for this as well. Have a great day.
The upstream website has some documentation:
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users@lists.fedorahosted.org