I'm still learning firewalld obviously, and I am having trouble groking the documentation to understand how to do this.
I know I could do an iptables direct, but that doesn't seem like the "right" way to do it.
What I'm trying to do is allow a specific service, only for a specific ip.
Effectively, SNMP should be allowed form a specific IP address (the systems monitor). What would be the most correct way of doing this?
Create a zone for the snmp, then add the associated interface to that zone?
firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 firewall-cmd --zone=monitoring --add-service=snmp firewall-cmd --zone=monitoring --add-interface=ens192 firewall-cmd --runtime-to-permanent
Would this be an appropriate approach? Is it the 'most correct' way?
On 11/17/2015 11:12 AM, Nick Bright wrote:
firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 firewall-cmd --zone=monitoring --add-service=snmp firewall-cmd --zone=monitoring --add-interface=ens192 firewall-cmd --runtime-to-permanent
I went ahead and tried this and found that the zone and service must first be created, which requires use of:
firewall-cmd --new-zone=monitoring --permanent (--permanent is required) firewall-cmd --new-service=snmp
edit /etc/firewalld/services/snmp.xml: <?xml version="1.0" encoding="utf-8"?> <service> <short>snmp</short> <description>Simple Network Management Protocol</description> <port port="161" protocol="udp" /> </service>
firewall-cmd --reload
However, at the end firewall-cmd --zone=monitoring --add-interface=ens192
This results in a zone conflict. I'm not sure if it's even possible to have two zones on the interface.
However, at the end
firewall-cmd --zone=monitoring --add-interface=ens192
This results in a zone conflict. I'm not sure if it's even possible to have two zones on the interface.
Hi Nick,
I don't believe an interface can belong to multiple zones.
Instead I think you what a rich rule, the example below would add this to the default zone
firewall-cmd –add-rich-rule 'rule family=“ipv4” source address=“x.x.x.x/16” service name=“http” accept'
On 17 Nov 2015 17:30, "Nick Bright" nick.bright@valnet.net wrote:
On 11/17/2015 11:12 AM, Nick Bright wrote:
firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 firewall-cmd --zone=monitoring --add-service=snmp firewall-cmd --zone=monitoring --add-interface=ens192 firewall-cmd --runtime-to-permanent
I went ahead and tried this and found that the zone and service must
first be created, which requires use of:
firewall-cmd --new-zone=monitoring --permanent (--permanent is required) firewall-cmd --new-service=snmp
edit /etc/firewalld/services/snmp.xml:
<?xml version="1.0" encoding="utf-8"?>
<service> <short>snmp</short> <description>Simple Network Management Protocol</description> <port port="161" protocol="udp" /> </service>
firewall-cmd --reload
However, at the end firewall-cmd --zone=monitoring --add-interface=ens192
This results in a zone conflict. I'm not sure if it's even possible to
have two zones on the interface.
A zone applies to a source network or interface.
Have a flick through: https://www.hogarthuk.com/?q=node/9
Surprised SNMP isn't already defined as a service in /usr/lib/firewalld/services .... Perhaps snmpd ? Don't have a system to hand to check.
On 11/17/2015 1:20 PM, James Hogarth wrote:
A zone applies to a source network or interface.
Have a flick through: https://www.hogarthuk.com/?q=node/9
Surprised SNMP isn't already defined as a service in /usr/lib/firewalld/services .... Perhaps snmpd ? Don't have a system to hand to check.
I didn't think to try "snmpd", because "http" isn't "httpd" and so on.
I was also surprised to not find SNMP defined, though it was easy enough to do so. I would have assumed that anything in /etc/services would be defined.
-
Clint Dilks -
James Hogarth -
Nick Bright