Hi
I've been looking into setting up my firewall to restrict ssh to my machine from a select number of subnets using firewall-cmd
There are a few posts discussing the merits or otherwise of using rich-rules.
Can anyone comment or post a description they think useful?
Cheers Paul J
Firewalld
Re: Firewalld
One should not need rich rules for that.
You want to divide the entire world into two zones. (The default is to have one zone, which allows ssh.)
* Zone 1 are "select number of subnets". Zone 1 allows ssh.
* Zone 2 is everyone else. Zone 2 does not allow ssh.
There are built-in zones. I'd "add sources" to zone 'public' and then change the interfaces zone to 'block'.
After that an incoming packet will be handled by 'public' (which allows ssh) if its source is within "select subnets". Otherwise the 'block' handles the packet you-guess-how.
You want to divide the entire world into two zones. (The default is to have one zone, which allows ssh.)
* Zone 1 are "select number of subnets". Zone 1 allows ssh.
* Zone 2 is everyone else. Zone 2 does not allow ssh.
There are built-in zones. I'd "add sources" to zone 'public' and then change the interfaces zone to 'block'.
After that an incoming packet will be handled by 'public' (which allows ssh) if its source is within "select subnets". Otherwise the 'block' handles the packet you-guess-how.
Re: Firewalld
This is exactly what I needed to do a few weeks ago.
I set my active zone to public and attached my interface to that. I removed all services from that zone. I then defined the sources I wanted to allow to ssh and the ssh service to the internal zone.
Most of what I was dealing with was on C7 but feel the same would apply for C8 since it is firewalld still.
This is some solid reading for how to set things up. https://access.redhat.com/documentation ... g-networks
Good luck!
I set my active zone to public and attached my interface to that. I removed all services from that zone. I then defined the sources I wanted to allow to ssh and the ssh service to the internal zone.
Most of what I was dealing with was on C7 but feel the same would apply for C8 since it is firewalld still.
This is some solid reading for how to set things up. https://access.redhat.com/documentation ... g-networks
Good luck!