We should firstly ensure that the service is running with:
firewall-cmd --state
We want to ensure any newly added interfaces will automatically be blocked before we explicitly define who can access them:
firewall-cmd --set-default-zone=block
and then configure our interface zones:
firewall-cmd --permanent --zone=public --change-interface=eno333333
firewall-cmd --permanent --zone=internal --change-interface=eno222222
We must also define the 'ZONE' variable within our interface config:
vi /etc/sysconfig/network-scripts/ifcfg-eno333333
and append:
ZONE=public
Restart the network service and ensure the firewall is reloaded:
sudo service network restart
firewall-cmd --reload
To review we can issue the following to take a look at any active zones:
firewall-cmd --get-active-zones
We will want to setup SSH access:
firewall-cmd --zone=internal --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=https --permanent
and ensure the we define a source:
firewall-cmd --zone=public --add-source=0.0.0.0/0 --permanent
firewall-cmd --zone=internal --add-source=10.0.0.0/24 --permanent
if we want to lock down different sources to different ports (for example if you are using a single interface) - we could issue a 'rich rule' with provide us with more granualr control over sources / service relations:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="443" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="ssh" accept'
And to review rules within zone we issue:
firewall-cmd --permanent --zone=public --list-all
firewall-cmd --permanent --zone=internal --list-all
and reload the firewall to ensure changes are applied:
firewall-cmd --reload
0 comments:
Post a Comment