Firewalld IP Addresses

Issues related to configuring your network
Post Reply
nmrdukeman
Posts: 50
Joined: 2016/02/24 19:11:41

Firewalld IP Addresses

Post by nmrdukeman » 2020/08/18 22:00:37

Hi,
I am trying to set up to allow only several static IP address computers to have assess to a server through ssh or sftp.
I have a created a active/default zone with only ssh server with a different port number. So far so good.

I tried firewall-cmd --permanent --add-source=192.168.2.50 (static IP address)
However, I tried to sftp from different remote computers with different static IP addresses and I still could login to the server.

Where did I do wrong here? I thought the server would only allow 192.168.2.50 computer to use "ssh" or "sftp".
How can fix it?

Thanks for your help in advance

User avatar
jlehtone
Posts: 3183
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld IP Addresses

Post by jlehtone » 2020/08/18 22:29:04

Firewall has two "stages".
First, a packet is directed to a zone based on its origin.
Second, the zone says whether to allow a packet.

You have two possible origins and therefore you should have two zones.
First zone handles packets that have "allowed source IP". This zone allows ssh.
Second zone handles what comes from the interface. This zone does not allow ssh.
The source zones are handled before the interface zones.

nmrdukeman
Posts: 50
Joined: 2016/02/24 19:11:41

Re: Firewalld IP Addresses

Post by nmrdukeman » 2020/08/19 14:39:22

Hi,
Thanks for the reply.
I used to use TCP wrapper hosts.allow and hosts.deny to limit IP address access on ssh. I tried it on Centos8, but it did not work. I later found out it is deprecated now.
I am going to try iptable to see whether it will work.
Any hints or tips?

User avatar
jlehtone
Posts: 3183
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld IP Addresses

Post by jlehtone » 2020/08/19 19:41:06

"iptable"?
iptables is deprecated as well: https://access.redhat.com/documentation ... networking

Post Reply

Return to “CentOS 8 - Networking Support”