I'm still learning firewalld obviously, and I am having trouble groking the documentation to understand how to do this. I know I could do an iptables direct, but that doesn't seem like the "right" way to do it. What I'm trying to do is allow a specific service, only for a specific ip. Effectively, SNMP should be allowed form a specific IP address (the systems monitor). What would be the most correct way of doing this? Create a zone for the snmp, then add the associated interface to that zone? firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 firewall-cmd --zone=monitoring --add-service=snmp firewall-cmd --zone=monitoring --add-interface=ens192 firewall-cmd --runtime-to-permanent Would this be an appropriate approach? Is it the 'most correct' way? -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - ----------------------------------------------- This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
On 11/17/2015 11:12 AM, Nick Bright wrote:> firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 > firewall-cmd --zone=monitoring --add-service=snmp > firewall-cmd --zone=monitoring --add-interface=ens192 > firewall-cmd --runtime-to-permanentI went ahead and tried this and found that the zone and service must first be created, which requires use of: firewall-cmd --new-zone=monitoring --permanent (--permanent is required) firewall-cmd --new-service=snmp edit /etc/firewalld/services/snmp.xml: <?xml version="1.0" encoding="utf-8"?> <service> <short>snmp</short> <description>Simple Network Management Protocol</description> <port port="161" protocol="udp" /> </service> firewall-cmd --reload However, at the end firewall-cmd --zone=monitoring --add-interface=ens192 This results in a zone conflict. I'm not sure if it's even possible to have two zones on the interface. -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - ----------------------------------------------- This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
However, at the end> firewall-cmd --zone=monitoring --add-interface=ens192 > > This results in a zone conflict. I'm not sure if it's even possible to > have two zones on the interface. > > Hi Nick,I don't believe an interface can belong to multiple zones. Instead I think you what a rich rule, the example below would add this to the default zone firewall-cmd ?add-rich-rule 'rule family=?ipv4? source address=?x.x.x.x/16? service name=?http? accept'
On 17 Nov 2015 17:30, "Nick Bright" <nick.bright at valnet.net> wrote:> > On 11/17/2015 11:12 AM, Nick Bright wrote: >> >> firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 >> firewall-cmd --zone=monitoring --add-service=snmp >> firewall-cmd --zone=monitoring --add-interface=ens192 >> firewall-cmd --runtime-to-permanent > > I went ahead and tried this and found that the zone and service mustfirst be created, which requires use of:> > firewall-cmd --new-zone=monitoring --permanent (--permanent is required) > firewall-cmd --new-service=snmp > > edit /etc/firewalld/services/snmp.xml: > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>snmp</short> > <description>Simple Network Management Protocol</description> > <port port="161" protocol="udp" /> > </service> > > firewall-cmd --reload > > However, at the end > firewall-cmd --zone=monitoring --add-interface=ens192 > > This results in a zone conflict. I'm not sure if it's even possible tohave two zones on the interface.> >A zone applies to a source network or interface. Have a flick through: https://www.hogarthuk.com/?q=node/9 Surprised SNMP isn't already defined as a service in /usr/lib/firewalld/services .... Perhaps snmpd ? Don't have a system to hand to check.