CentOS8 firewall config
In the past, my dealings with Linux firewalls has been essentially nil because I always disable the built-in OS firewalls and use a dedicated external firewall.
That being said, I have a use case where I don't have the ability to have a dedicated external firewall, so as such, I have little choice but to use the built in firewall. From the reading I've done, I've gotten somewhere, but not really where I want to be.
What I want to do is 'fairly simple'. I want to:
Allow all outbound
Allow SMTP from anywhere (Ideally IPV4 & IPV6)
Allow 'TCP Port1' from 'x' IPv4 address
Allow 'TCP Port2' from 'x' IPv4 address
Allow 'TCP Port3' from 'x' IPv4 address
Drop all other traffic as if the IP is dead
The idea being it accepts all inbound mail for my domains, and in the event that my internet connection has gone down or my server has become unreachable for whatever reason, this will spool all inbound mail indefinitely until my server comes back online and then deliver it at that point, and it also serves as an outbound relay point for my mail server, so all mail comes and goes from the same IP.
I did manage to get part way there using the following:
firewall-cmd --permanent --zone=public --add-icmp-block-inversion
firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="IPx" port port=Port1 protocol=tcp accept'
firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="IPx" port port=Port2 protocol=tcp accept'
firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="IPx" port port=Port3 protocol=tcp accept'
The problem with those commands (well, the ICMP one) is when I ping it, I get 'Destination net unreachable.' instead of the expected/desired 'timeout'.
The other three (non-ICMP) are probably exactly as I need/want them. Using the '--permanent' switch, they're persistent across reboots. I'm just not sure if the 'rich rules' are the best way to get where I want to be with them since that's new to me.
SMTP is listed in the 'services' section of 'firewall-cmd --zone=public --list-all' but I'm not sure that's all that's needed as when I start Postfix, it still doesn't respond if I try to telnet to it on port 25.
If this was a pfSense, ASA or Watchguard firewall, it would be a no-brainier.
So What's the best way to do this? The 'FirewallD' portion of WebMin doesn't seem to give any hints that anything like the 'Rich Rules' are possible, and if I make a change using it, it wipes out the Rich Rules I configured.
Is it possible to configure this sort of thing from WebMin's FirewallD section? Or should it be just CLI? Any advice/suggestions?