Ah. I understand now. I was considering roughly the same, but wasn't sure whether that or rich rules was preferable. -- Kimee On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote: > No, I think the rules you created might have a better place in a > custom xml file instead of being given to firewall cmd directly :) > > On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model < > kimee.i.model at gmail.com> wrote: > > I'm not sure I follow, you just think the modified one should be > > called > > "ssh-custom", or you think there shouldn't be a modified service > > file > > at all? > > > > -- Kimee > > > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > > > Hi there, > > > > > > Wouldn't that be a better solution to create a custom xml file to > > put > > > in /etc/firewalld and load that "ssh-custom" service instead ? > > > > > > Thanks > > > > > > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com> > > > wrote: > > > > Thank you, I've gone in and made the listed changes changed > > > > firewalld > > > > sections to use services instead of just port numbers. > > > > > > > > -- Kimee > > > > > > > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > > > <kimee.i.model at gmail.com> wrote: > > > > > > > > > > > > HI all, > > > > > > > > > > > > 1st time contributor here. I was using the guide on > > securing > > > > > > SSH, > > > > > > and > > > > > > noticed that the firewall-cmd snippets for filtering by > > > > > > requests > > > > > > per > > > > > > time seem somewhat outdated. From what I can tell the given > > > > > > snippets, > > > > > > relay arguments directly down to iptables, and do not cover > > > > > > both > > > > > > IPv4 > > > > > > and v6. (and in fact when attempting to extend to v6 the > > > > > > firewall > > > > > > would > > > > > > fail to reload). I came up with an "all firewall-cmd" > > solution > > > > > > which > > > > > > I'd like to share. > > > > > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > > > direct > > > > > > rules > > > > > > for iptables. The code snippets in section 6 of < > > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;;; > > would be > > > > > > changed to > > > > > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port > > port="22" > > > > > > protocol="tcp" accept limit value="4/m"' > > > > > > firewall-cmd --permanent --remove-service ssh > > > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > > > firewall-cmd --reload > > > > > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > > > > > Regards, > > > > > > Kimee > > > > > > > > > > You should be able to edit that page. Let us know if you find > > any > > > > > problem. > > > > > > > > > > Akemi > > > > > _______________________________________________ > > > > > CentOS-docs mailing list > > > > > CentOS-docs at centos.org > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > _______________________________________________ > > > > CentOS-docs mailing list > > > > CentOS-docs at centos.org > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > > > _______________________________________________ > > > CentOS-docs mailing list > > > CentOS-docs at centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > _______________________________________________ > > CentOS-docs mailing list > > CentOS-docs at centos.org > > https://lists.centos.org/mailman/listinfo/centos-docs > > _______________________________________________ > CentOS-docs mailing list > CentOS-docs at centos.org > https://lists.centos.org/mailman/listinfo/centos-docs