Firewalld precedence and rich rules

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have a firewalld config which I don't understand entirely. Why aren't the rich-rules taking any affect to allow ssh connections? If I don't put the IP addresses in the sources: the rich-rule isn't allowing the connection.



I have created 2 zones myself HQ, repectively homeusers.



What is the precedence and how should I handle this?



HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:


home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept

trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:






share|improve this question




















  • Shouldn't rich rules: just be rules:
    – Raman Sailopal
    Nov 20 '17 at 12:05














up vote
0
down vote

favorite












I have a firewalld config which I don't understand entirely. Why aren't the rich-rules taking any affect to allow ssh connections? If I don't put the IP addresses in the sources: the rich-rule isn't allowing the connection.



I have created 2 zones myself HQ, repectively homeusers.



What is the precedence and how should I handle this?



HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:


home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept

trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:






share|improve this question




















  • Shouldn't rich rules: just be rules:
    – Raman Sailopal
    Nov 20 '17 at 12:05












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have a firewalld config which I don't understand entirely. Why aren't the rich-rules taking any affect to allow ssh connections? If I don't put the IP addresses in the sources: the rich-rule isn't allowing the connection.



I have created 2 zones myself HQ, repectively homeusers.



What is the precedence and how should I handle this?



HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:


home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept

trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:






share|improve this question












I have a firewalld config which I don't understand entirely. Why aren't the rich-rules taking any affect to allow ssh connections? If I don't put the IP addresses in the sources: the rich-rule isn't allowing the connection.



I have created 2 zones myself HQ, repectively homeusers.



What is the precedence and how should I handle this?



HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:


home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept

trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:








share|improve this question











share|improve this question




share|improve this question










asked Nov 20 '17 at 11:45









holasz

139112




139112











  • Shouldn't rich rules: just be rules:
    – Raman Sailopal
    Nov 20 '17 at 12:05
















  • Shouldn't rich rules: just be rules:
    – Raman Sailopal
    Nov 20 '17 at 12:05















Shouldn't rich rules: just be rules:
– Raman Sailopal
Nov 20 '17 at 12:05




Shouldn't rich rules: just be rules:
– Raman Sailopal
Nov 20 '17 at 12:05















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f405751%2ffirewalld-precedence-and-rich-rules%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f405751%2ffirewalld-precedence-and-rich-rules%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?