Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie jnojr's Avatar
    Join Date
    Sep 2007
    Location
    San Diego, CA
    Posts
    132

    firewalld - multiple services / sources?


    If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that?

    I can't tell if firewalld is just really poorly documented or very limited. I am sorely tempted to disable it and just use good ol' iptables, but I don't like the kneejerk "Just disable it!" attitude, partly because one day there'll be something that you have to do "the new way", and you'll be far behind the curve.

  2. #2
    I did try it about 6 months ago, spend 2/3 days trying to block some addresses but could not find any way could block ports but not much use

    I when through and printed out all documentation 159 pages in all, will try again in 6 months.

    When back to iptables, yes it does warn that they will stop support in the future this was on Fedora 25.

    Dennis

  3. #3
    Just Joined!
    Join Date
    Jun 2017
    Location
    Philippines
    Posts
    12
    You might want to consider iptables. Also install fail2ban if your machine is internet facing.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie jnojr's Avatar
    Join Date
    Sep 2007
    Location
    San Diego, CA
    Posts
    132
    Quote Originally Posted by Dennis2 View Post
    I did try it about 6 months ago, spend 2/3 days trying to block some addresses but could not find any way could block ports but not much use
    It turns out you can specify a service in a rich rule.

    Code:
    firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" service name="freeipa-ldap" accept'
    So you don't have to specify each and every port.

  6. #5
    Quote Originally Posted by jnojr View Post
    It turns out you can specify a service in a rich rule.

    Code:
    firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" service name="freeipa-ldap" accept'
    So you don't have to specify each and every port.
    I did try it with using a similar command line, but after testing I found it did not work nothing was blocked.

    Please note there have been quite a few updates since I tried it so it is quite possible it works fine now

    Dennis

  7. #6
    How about you try on simple port block

    iptables -A INPUT -p tcp --dport <PORT> -s <IP_ADD> -j ACCEPT

    iptables -A INPUT -p tcp --dport <PORT> -j DROP

    This will allowed the IP_ADD to connect to declared port and lock for all other ips

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •