> -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Gordon > Messmer > Sent: Friday, January 27, 2017 9:23 PM > To: CentOS mailing list > Subject: Re: [CentOS] firewalld > > On 01/27/2017 06:01 PM, TE Dukes wrote: > > I telnet localhost 143, I get connection refused. > > > > What zone is used for the local network and what zone is used for > > outside access? > > All traffic from localhost is allowed. No zone is involved. > > The zone for "outside" access depends on which interface receives the > packet, and what zone you've put that interface in. I believe thatdefaults to> "public."I'm telneting in from ssh on a machine on the local network, still getting connection refused. The zone apparently means something because an interface can only be on one. Moving it to a different zone results in the same error (same services/ports opened in each zone). I may as well disable firewalld and let my router handle the firewall. I don't plan to use my server as a workstation.
On 28 Jan 2017 3:02 am, "TE Dukes" <tdukes at palmettoshopper.com> wrote:> -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Gordon > Messmer > Sent: Friday, January 27, 2017 9:23 PM > To: CentOS mailing list > Subject: Re: [CentOS] firewalld > > On 01/27/2017 06:01 PM, TE Dukes wrote: > > I telnet localhost 143, I get connection refused. > > > > What zone is used for the local network and what zone is used for > > outside access? > > All traffic from localhost is allowed. No zone is involved. > > The zone for "outside" access depends on which interface receives the > packet, and what zone you've put that interface in. I believe thatdefaults to> "public."I'm telneting in from ssh on a machine on the local network, still getting connection refused. The zone apparently means something because an interface can only be on one. Moving it to a different zone results in the same error (same services/ports opened in each zone). I may as well disable firewalld and let my router handle the firewall. I don't plan to use my server as a workstation. Have a read through this and then decide on if you want to use it or not. You can also switch to iptables-service and mask firewalld if you want the same behaviour as in C6. 7.3 also has nftables as a tech preview, but I've not finished my article on that yet.
> > The zone apparently means something because an interface can only be on one. > Moving it to a different zone results in the same error (same services/ports > opened in each zone).The "zones" are just labels and are used to create kernel iptables. Each zone has a default set of open and closed ports ranging from "trusted" which accepts all packets to "public" which has everything closed. You can modify the allowed ports and services on each zone at will. Some of the zones have "special" features - "block" rejects all packets, "drop" drops all packets, "external" has masquerading turned on and so on. If you have a single network, then that interface will, by default, be put in the "public" zone, so most ports will be closed. That's fine, just leave it in that zone, it's just a label/container. You can list the services open in the default zone by doing firewall-cmd --list-services or for ports not services firewall-cmd --list-ports or for a different zone firewall-cmd --zone=public --list-services You can also find out which zones your interface(s) is in with firewall-cmd --get-active-zones One of the gotchas with firewalld is that the changes are made in either the current running iptables *or* the stored rules, not both. So if you make a change to the running rule set, those changes won't be kept the next time you restart firewalld. You can either use the ' --permanent' flag to set the stored rules (but it won't affect the active rules) or the '--runtime-to-permanent' flag to copy the current active rules to the stored ones. The bottom line is that firewalld is just another application that manipulates the kernel packet routing tables. Use something else if you prefer it - some of the system tools assume firewalld, but if you are aware of what's happening it shouldn't be an issue.> > I may as well disable firewalld and let my router handle the firewall. >If you are happy that there is nothing behind your firewall that could cause a problem?then that's an acceptable route. P.
> -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of James > Hogarth > Sent: Saturday, January 28, 2017 4:18 AM > To: CentOS mailing list > Subject: Re: [CentOS] firewalld > > On 28 Jan 2017 3:02 am, "TE Dukes" <tdukes at palmettoshopper.com> wrote: > > > > > -----Original Message----- > > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Gordon > > Messmer > > Sent: Friday, January 27, 2017 9:23 PM > > To: CentOS mailing list > > Subject: Re: [CentOS] firewalld > > > > On 01/27/2017 06:01 PM, TE Dukes wrote: > > > I telnet localhost 143, I get connection refused. > > > > > > What zone is used for the local network and what zone is used for > > > outside access? > > > > All traffic from localhost is allowed. No zone is involved. > > > > The zone for "outside" access depends on which interface receives the > > packet, and what zone you've put that interface in. I believe that > defaults to > > "public." > > I'm telneting in from ssh on a machine on the local network, stillgetting> connection refused. > > The zone apparently means something because an interface can only be on > one. > Moving it to a different zone results in the same error (sameservices/ports> opened in each zone). > > I may as well disable firewalld and let my router handle the firewall. > > I don't plan to use my server as a workstation. > > > Have a read through this and then decide on if you want to use it or not. > > You can also switch to iptables-service and mask firewalld if you want the > same behaviour as in C6. > > 7.3 also has nftables as a tech preview, but I've not finished my articleon that> yet.I saw something about that somewhere. Did you forget a link? Thanks
> -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Pete Biggs > Sent: Saturday, January 28, 2017 6:02 AM > To: centos at centos.org > Subject: Re: [CentOS] firewalld > > > > > > The zone apparently means something because an interface can only be on > one. > > Moving it to a different zone results in the same error (same > > services/ports opened in each zone). > > The "zones" are just labels and are used to create kernel iptables. > Each zone has a default set of open and closed ports ranging from "trusted" > which accepts all packets to "public" which has everything closed. You can > modify the allowed ports and services on each zone at will. > > Some of the zones have "special" features - "block" rejects all packets, > "drop" drops all packets, "external" has masquerading turned on and so on. > > If you have a single network, then that interface will, by default, be put in the > "public" zone, so most ports will be closed. That's fine, just leave it in that > zone, it's just a label/container. > > You can list the services open in the default zone by doing > > firewall-cmd --list-services > > or for ports not services > > firewall-cmd --list-ports > > or for a different zone > > firewall-cmd --zone=public --list-services > > You can also find out which zones your interface(s) is in with > > firewall-cmd --get-active-zones > > One of the gotchas with firewalld is that the changes are made in either the > current running iptables *or* the stored rules, not both. So if you make a > change to the running rule set, those changes won't be kept the next time > you restart firewalld. You can either use the ' > --permanent' flag to set the stored rules (but it won't affect the active rules) > or the '--runtime-to-permanent' flag to copy the current active rules to the > stored ones. > > The bottom line is that firewalld is just another application that manipulates > the kernel packet routing tables. Use something else if you prefer it - some > of the system tools assume firewalld, but if you are aware of what's > happening it shouldn't be an issue. > > > > > I may as well disable firewalld and let my router handle the firewall. > > > If you are happy that there is nothing behind your firewall that could cause a > problem then that's an acceptable route. > > P.Thanks, That's a better explanation of things than I have read so far. Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing really any reboots. I did a few --reloads so that may have gotten me. I have zoneminder, dns, and urbackup working. I can ssh and scp in from work but mail is being a pain. Thanks