Monday, November 20, 2017

Understanding FirewallD and relationship between services and rich rules

Hello,

I'm currently setting up a small group of blades to be used for rendering at my university. At the moment I'm using KVM to access the blades, but I'm trying to switch this over to SSH. I'm trying to set up the firewall (CentOS) to only allow connections from internal university networks, so anyone outside has to VPN in to access the blades.

At first I left the Public zone as is and added the rich rules you see below. But this would still allow me to SSH into the box regardless of originating IP. When I remove ssh from the services, only then does it require me to use the VPN service to gain access. To me this seems backwards, as my understanding is that the services would obey the rich rules and only allow access to those within the guidelines, but instead seem to be imposed as gatekeeper overrides and allowing anything to get through. By not setting any services in the rich rules I thought they would apply to all connections attempts/types.

Is there something incredibly basic that I'm missing here? I've gone through multiple Unix/Stack Exchange posts as well as the RHEL documentation but I can't find any information that clearly explains my situation. If there is my eyes are blind at 3 in the morning. Any help would be appreciated!

public (active) target: default icmp-block-inversion: no interfaces: enp3s0f0 sources: services: dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="XXX.XXX.0.0/16" accept rule family="ipv4" source address="XXX.XXX.XXX.0/19" accept rule family="ipv4" source address="XXX.XXX.XXX.0/18" accept 


No comments:

Post a Comment