<\/p>\n\n\n\n
In Firewalld we can use multiple zones for different types of traffic. For instance, we can setup an “internal” zone with our local IP addresses that are trusted, and then setup the public facing interface to the “drop” or “block” zone to block everything not from our internal network. <\/p>\n\n\n\n
Add all of our trusted IP addresses to the internal zone. The following example adds all of the private IP addresses “RFC 1918” to the internal zone. Change as needed.<\/p>\n\n\n\n
firewall-cmd --zone=internal --add-source=192.168.0.0\/16 --add-source=172.16.0.0\/12 --add-source=10.0.0.0\/8 --permanent<\/pre>\n\n\n\n<\/p>\n\n\n\n
2. Configure services\/ports that should be allowed on our “internal” zone<\/h2>\n\n\n\n
Next we need to specify which services or ports should be accessible in our trusted zone.<\/p>\n\n\n\n
Here is an example to allow https, ssh, and cockpit services<\/p>\n\n\n\n
firewall-cmd --zone=internal --add-service=https --add-service=ssh --add-service=cockpit --permanent <\/pre>\n\n\n\nHere is an example to allow port 8080 tcp<\/p>\n\n\n\n
firewall-cmd --zone=internal --add-port=8080\/tcp --permanent<\/pre>\n\n\n\n<\/p>\n\n\n\n
3. Set “drop” zone as the default for all other traffic<\/h2>\n\n\n\n
The final configuration piece we need to do is set the default zone. Anything not specified in other zones will get processed by the default zone.<\/p>\n\n\n\n
firewall-cmd --set-default-zone=drop<\/pre>\n\n\n\nThe drop zone drops everything.<\/p>\n\n\n\n
4. Reload firewall<\/h2>\n\n\n\n
Reload the firewall with <\/p>\n\n\n\n
firewall-cmd --reload<\/pre>\n\n\n\n
Verifying changes<\/h2>\n\n\n\nLet’s verify the changes with the firewall-cmd –get-active-zones command<\/p>\n\n\n\n
# firewall-cmd --get-active-zones\ndrop\n interfaces: en0\ninternal\n sources: 192.168.0.0\/16 172.16.0.0\/12 10.0.0.0\/8<\/pre>\n\n\n\nYou can also use<\/p>\n\n\n\n
firewall-cmd --list-all-zones<\/pre>\n\n\n\nto list all the zones. Active zones show (active) next to them.<\/p>\n\n\n\n
You can verify that your changes worked by doing an internal and external nmap scan.<\/p>\n\n\n\n
If you have issues with services still being accessible from the outside, try disabling Network Manager for that specific interface<\/p>\n\n\n\n
You can edit the ifcfg-eth0 file and add<\/p>\n\n\n\n
NM_CONTROLLED=no<\/pre>\n","protected":false},"excerpt":{"rendered":"In Firewalld we can use multiple zones for different types of traffic. For instance, we can setup an “internal” zone with our local IP addresses that are trusted, and then setup the public facing interface to the “drop” or “block” … Continue reading