Firewalld precedence and rich rules
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have a firewalld config which I don't understand entirely. Why aren't the rich-rules
taking any affect to allow ssh
connections? If I don't put the IP addresses in the sources:
the rich-rule
isn't allowing the connection.
I have created 2 zones myself HQ
, repectively homeusers
.
What is the precedence and how should I handle this?
HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept
trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
centos networking iptables firewalld
add a comment |Â
up vote
0
down vote
favorite
I have a firewalld config which I don't understand entirely. Why aren't the rich-rules
taking any affect to allow ssh
connections? If I don't put the IP addresses in the sources:
the rich-rule
isn't allowing the connection.
I have created 2 zones myself HQ
, repectively homeusers
.
What is the precedence and how should I handle this?
HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept
trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
centos networking iptables firewalld
Shouldn't rich rules: just be rules:
â Raman Sailopal
Nov 20 '17 at 12:05
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a firewalld config which I don't understand entirely. Why aren't the rich-rules
taking any affect to allow ssh
connections? If I don't put the IP addresses in the sources:
the rich-rule
isn't allowing the connection.
I have created 2 zones myself HQ
, repectively homeusers
.
What is the precedence and how should I handle this?
HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept
trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
centos networking iptables firewalld
I have a firewalld config which I don't understand entirely. Why aren't the rich-rules
taking any affect to allow ssh
connections? If I don't put the IP addresses in the sources:
the rich-rule
isn't allowing the connection.
I have created 2 zones myself HQ
, repectively homeusers
.
What is the precedence and how should I handle this?
HQ (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 195.x.xxx.xxx 90.xxx.xx.xxx 95.xx.xx.xx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="90.xxx.xx.xxx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="195.x.xxx.xxx" service name="ssh" log prefix="SSH Access xxxx" level="notice" accept
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
homeusers (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 92.xxx.xxx.xxx 31.xxx.xxx.xxx 82.xx.xxx.xxx
services: ssh mysql telnet
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="95.xx.xx.xx" service name="ssh" log prefix="SSH Access HQ" level="notice" accept
rule family="ipv4" source address="92.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xxxxxxx" level="notice" accept
rule family="ipv4" source address="31.xxx.xxx.xxx" service name="ssh" log prefix="SSH Access xwxwxw" level="notice" accept
trusted (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 127.0.0.1 19x.xxx.xxx.xxx
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
centos networking iptables firewalld
asked Nov 20 '17 at 11:45
holasz
139112
139112
Shouldn't rich rules: just be rules:
â Raman Sailopal
Nov 20 '17 at 12:05
add a comment |Â
Shouldn't rich rules: just be rules:
â Raman Sailopal
Nov 20 '17 at 12:05
Shouldn't rich rules: just be rules:
â Raman Sailopal
Nov 20 '17 at 12:05
Shouldn't rich rules: just be rules:
â Raman Sailopal
Nov 20 '17 at 12:05
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f405751%2ffirewalld-precedence-and-rich-rules%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Shouldn't rich rules: just be rules:
â Raman Sailopal
Nov 20 '17 at 12:05