On Sat, Oct 06, 2018 at 06:14:22PM -0400, Igor Kapushkin wrote:
Hello I want to create new zone to allow only SSH connections from IP address range and DROP everything else.
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP"> <short>TEsting</short> <description>Testing</description> <service name="ssh"/> <source address="123.45.67.89/24" /> </zone> That IP range is fake, of course. In the real one, I use my IP range, which is real. I place that inside /etc/firewalld/zones/testing.xml and the zone gets listed after reload. The prblem is that ssh is still open for everyone. If I run nmap from a computer outside that range ("123.45.67.89/24") it says "open" so firewalld is not blocking it. What am I doing wrong? Should I use "ACCEPT" instead of "DROP"?
It's because packets not from 123.45.67.89/24 belong to a different zone (likely the default/public zone) which also has SSH opened.
https://firewalld.org/documentation/zone/default-zone.html
You can get the desired effect by changing the default zone to something restrictive like the "block" zone. Then your custom "testing" zone will handle SSH connections from 123.45.67.89/24.
# firewall-cmd --set-default-zone=block # firewall-cmd --reload
Be careful doing this remotely as you can easily block yourself out from SSH.
firewalld-users@lists.fedorahosted.org