firewalld : multiple network interfaces with different zones

Support for security such as Firewalls and securing linux
Post Reply
vkshatriya
Posts: 2
Joined: 2013/11/07 14:15:10

firewalld : multiple network interfaces with different zones

Post by vkshatriya » 2014/12/07 11:10:46

Hi There ,
I am installing CentOS 7 on a home server.
Server is having two network interfaces.

Code: Select all

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.198  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::6a05:caff:fe11:5195  prefixlen 64  scopeid 0x20<link>
        ether 68:05:ca:11:51:95  txqueuelen 1000  (Ethernet)
        RX packets 2419  bytes 308319 (301.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30  bytes 4574 (4.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 18  memory 0xfe8e0000-fe900000  

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.4  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::9eb6:54ff:fe04:4c60  prefixlen 64  scopeid 0x20<link>
        ether 9c:b6:54:04:4c:60  txqueuelen 1000  (Ethernet)
        RX packets 26402  bytes 21353662 (20.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14110  bytes 1813875 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 18  
Below is my firewalld configuration

Code: Select all

[root@githost network-scripts]# firewall-cmd --get-active-zones
home
  interfaces: enp2s0
block
  interfaces: enp3s0
[root@githost network-scripts]# firewall-cmd --zone=home --list-all
home (active)
  interfaces: enp2s0
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@githost network-scripts]# firewall-cmd --zone=block --list-all
block (active)
  interfaces: enp3s0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@githost network-scripts]# firewall-cmd --get-default-zone
public
[root@githost network-scripts]# firewall-cmd --zone=public --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@githost network-scripts]# 

My requirement is this server should only accept ssh connections through enp2s0 (192.168.1.198) interface which is under zone "home".
With above configuration neither interface accepting ssh connection from other machine in the same network.

Please advise whether my understanding of zones is wrong or am i missing something in the configuration.

Thanks in advance.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: firewalld : multiple network interfaces with different z

Post by gerald_clark » 2014/12/07 16:28:09

Having 2 interfaces in the same subnet can cause all kinds of routing issues.

vkshatriya
Posts: 2
Joined: 2013/11/07 14:15:10

Re: firewalld : multiple network interfaces with different z

Post by vkshatriya » 2014/12/09 13:24:03

Our plan is to expose one NIC to DMZ zone with restrictions and leave the secondary NIC to internal network with no restrictions on incoming and outgoing traffic.

Post Reply