Firewalld interface issue

Support for security such as Firewalls and securing linux
Post Reply
Posts: 6
Joined: 2018/12/20 17:34:39

Firewalld interface issue

Post by PeteH » 2019/01/10 17:13:21

I'm trying to use firewall-cmd to set up firewallD.
I've got 2 interfaces
ens192 which is internet facing and I want to (currently) drop all incoming packets
ens224 which I want to only accept ssh and smtp packets all other packets should be rejected

To facilitate this I've created a new zone called inside, here's the /etc/firewalld/zones/inside.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<service name="smtp"/>
<service name="ssh"/>

here's the relevant stanza from firewall-cmd --list-all-zones

inside (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens224
services: smtp ssh
masquerade: no
rich rules:

So looking at that I would expect that should reject any incoming packet on ens224 that isn't on port 22 or 25. Problem is it doesn't. I've tried varying the target to ACCEPT and default; still nothing getting through. It's almost like ens224 isn't listening at all when firewalld is started(and yes i've checked the zone information in ifcfg-ens224).

Any idea what I'm missing? I've tried moving ens224 into trusted too but that has no effect either, it's almost like I've got to enable a link between firewalld and ens224 but where?


Posts: 6
Joined: 2018/12/20 17:34:39

Re: Firewalld interface issue

Post by PeteH » 2019/01/15 17:28:13

Forget it. I've come to the conclusion firewalld doesn't seem to like it when you go creating your own zones (which I did because the predefined zones didn't give me exactly what I wanted and there's limited functionality eg you can't renove ssh from DMZ; it comes back and tells you it's predefined). I'm going back to iptables, a bit retrograde I know but if the new stuff doesn't work I need to go back to what does. Maybe I'll get what I'm looking for in Centos 8.

Pete H

User avatar
Forum Moderator
Posts: 27742
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld interface issue

Post by TrevorH » 2019/01/16 01:01:37

If that's the case then I'd recommend you download the RHEL 8 beta and give it a test drive and provide your feedback. RH have decided that iptables is dead and that nftables should be the new way and that firewalld is the preferred way to use nftables. I have not yet tested it myself but I gather that there is an nftables-service[s] package so hopefully those of us that think firewalld is a toy don't have to use it.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

Posts: 2007
Joined: 2015/02/17 15:14:33
Location: Bulgaria

Re: Firewalld interface issue

Post by hunter86_bg » 2019/01/26 09:11:28

Maybe you can try to create your zone vie 'firewall-cmd' commands.
I'm not sure that your zone definition is completely correct and that could be the root cause.
Still I think firewalld is great for simple rules, while advanced features should be addressed via iptables and nftables respectfully.

Posts: 510
Joined: 2015/05/11 07:53:27
Location: UK

Re: Firewalld interface issue

Post by MartinR » 2019/01/26 13:08:37

RH Beta requires additional information beyond a simple developer login. One mandatory piece is a company name, a problem if you are currently not employed.

Post Reply

Return to “CentOS 7 - Security Support”