firewalld and source/dest rules?

James Hogarth james.hogarth at gmail.com
Tue Jan 19 07:25:36 UTC 2016 

On 19 Jan 2016 02:19, "Alex" <mysqlstudent at gmail.com> wrote:
>
> Hi,
>
> On Mon, Jan 18, 2016 at 2:55 AM, James Hogarth <james.hogarth at gmail.com>
wrote:
> >
> > On 17 Jan 2016 16:28, "Alex" <mysqlstudent at gmail.com> wrote:
> >>
> >> Hi,
> >> I have a fedora23 system and just starting to learn how firewalld
> >> works. None of the documentation really discusses how to add rules
> >> from a specific source (the -s option with iptables).
> >>
> >> Is this not what firewalld was intended to do?
> >>
> >> How do I restrict access to ssh or dns only from specific remote IP
> >> addresses?
> >>
> >
> > Create a zone for that source network and then apply the rules to that.
> >
> > Have a read of this and see if it helps clear a few things up:
> >
> > https://www.hogarthuk.com/?q=node/9
>
> Okay, that's interesting. So it's possible to apply multiple zones to
> a single interface? How would you suggest I structure that? In other
> words, create a "ssh" zone where the only service is ssh, then add all
> the source addresses that are permitted to ssh to my host to that
> zone?
>
> I'm trying to do the iptables equivalent of:
>
> -A INPUT -s 192.168.1.0/24,192.168.10.0/24 -p tcp -m state --state NEW
> -m tcp --dport 993 -j ACCEPT
> -A INPUT -s 192.168.1.0/24,192.168.10.0/24 -p tcp -m state --state NEW
> -m tcp --dport 443 -j ACCEPT
>
> You've provided some great examples at the end, but any guidance on
> how to get started with what I've written above would be appreciated.
>
> Do you know if firewalld works with NetworkManager properly in fc23?
> I'm now learning that because I use kvm/qemu for virtual machines, and
> apparently must disable NetworkManager still, that I can't also use
> firewalld. I learned this from an older article, but I've been having
> problems with NetworkManager and bridges and thought it might be
> related.
>

Whatever article that is sounds mostly nonsense.

NM works fine with firewalld and with libvirt (kvm) ... And they all work
independently of each other too.

When doing a network subnet based zone you don't apply it to an interface
as it's network based.

So you'd create a zone for "finance" or whatever you want to call what
defines that subnet. Then you'd add the network source subnet to it so that
it gets used. Then you'd apply your rules (such as --add-service https)

If you're struggling a bit with NM and bridges I also have an NM article on
the site that covers using nmcli for this.

Don't forget there is a new iproute2 command for bridges that is very
useful at checking their status - bridge link <foo> will tell you what
links are in the bridge and whether STP results in the link in a listening,
blocking or forwarding state.

Last week I was talking to someone who was convinced their NM bridge was
broken... Then with that we saw it was up and forwarding and the problem
lay elsewhere (cabling) ;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20160119/6d199530/attachment.html>

More information about the users mailing list