Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Firewalld - source IP not working
Operating Systems Linux Red Hat Firewalld - source IP not working Post 303003725 by fishface on Tuesday 19th of September 2017 04:35:12 PM
Old 09-19-2017
I have added the interface, it's also in defined /etc/sysconfig/network-scripts/ifcfg-ens192, thinking that might be the issue but it made no difference.

Code:
firewall-cmd --get-active-zones
ABCinternal
  interfaces: ens192
  sources: 192.168.1.10 192.168.1.99

Code:
firewall-cmd --zone=ABCinternal --list-protocols
firewall-cmd --zone=public --list-protocols
firewall-cmd --zone=internal --list-protocols
firewall-cmd --zone=drop --list-protocols
firewall-cmd --zone=trusted --list-protocols
firewall-cmd --zone=dmz --list-protocols
firewall-cmd --zone=home --list-protocols
firewall-cmd --zone=work --list-protocols
firewall-cmd --zone=external --list-protocols

The above produced no output

Code:
firewall-cmd --zone=ABCinternal --list-services
ssh
firewall-cmd --zone=public --list-services
dhcpv6-client
firewall-cmd --zone=internal --list-services
ssh mdns samba-client dhcpv6-client
firewall-cmd --zone=drop --list-services
no output
firewall-cmd --zone=trusted --list-services
no output
firewall-cmd --zone=dmz --list-services
dmz
firewall-cmd --zone=home --list-services
ssh mdns samba-client dhcpv6-client
firewall-cmd --zone=work --list-services
ssh dhcpv6-client
firewall-cmd --zone=external --list-services
ssh

Also /etc/firewalld/zones only has 2 zones

ABCinternal.xml
ABCinternal.xml.old
public.xml
public.xml.old
 

8 More Discussions You Might Find Interesting

1. Solaris

GUI not working... CLI is working fine

Hello, I have X4500 running Solaris 10. I can access it through CLI but I cannot see the GUI. When I reboot it, the GUI works till all the files are loaded (ie., the initial boot sequence) and it prompts me to enter username and password and there it ends. The screen just has a blinking cursor... (4 Replies)
Discussion started by: bharu_sri
4 Replies

2. Shell Programming and Scripting

Script not working in cron but working fine manually

Help. My script is working fine when executed manually but the cron seems not to catch up the command when registered. The script is as follow: #!/bin/sh for file in file_1.txt file_2.txt file_3.txt do awk '{ print "0" }' $file > tmp.tmp mv tmp.tmp $file done And the cron... (2 Replies)
Discussion started by: jasperux
2 Replies

3. Red Hat

Os Open source dialer not working on Centos Asterisk platform

Hi We have one centos Server on Asterisk platform and using OS Open source dialer for dialing outbound connections.We are using eyebeam as a softphone for calling with Server ip 192.168.1.X.Today i found dialing issues with each client side phones.Not showing pause/resume button when browse... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies

4. Red Hat

Nslookup working but ping not working at windows client

Hi Team we have created a DNS server at RHEL6.2 environment in 10.20.203.x/24 network. Everything is going well on linux client as nslookup, ping by host etc in entire subnet. We are getting problem in windows client as nslookup working as well but not ping. all the firewall is disabled and... (5 Replies)
Discussion started by: boby.kumar
5 Replies

5. Shell Programming and Scripting

Automating pbrun /bin/su not working, whenever manually it is working using putty

I am trying to automate a script where I need to use pbrun /bin/su but for some reason it is not passing thru the pbrun as my code below. . ~/.bash_profile pbrun /bin/su - content c h 1 hpsvn up file path I am executing this from an external .sh file that is pointing to this scripts file... (14 Replies)
Discussion started by: jorgejac
14 Replies

6. Red Hat

Firewalld - multiple services / sources?

If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that? I can't tell if firewalld is just really... (2 Replies)
Discussion started by: jnojr
2 Replies

7. Shell Programming and Scripting

Working web service call not working with curl

Hello, Newbie here, I have a perfectly well working web service call I can issue from chrome (PC Windows 10) and get the results I want (a dimmer being turned on in Fibaro Home Center 2 at level 40) I am not allowed to post urls but the below works with http and :// and... (3 Replies)
Discussion started by: abigbear
3 Replies

8. Shell Programming and Scripting

Disk Space Utilization in HTML format working in one environment and not working on the other

Hi Team, I have written the shell script which returns the result of the disk space filesystems which has crossed the threshold limit in HTML Format. Below mentioned is the script which worked perfectly on QA system. df -h | awk -v host=`hostname` ' BEGIN { print "<table border="4"... (13 Replies)
Discussion started by: Harihsun
13 Replies

LEARN ABOUT CENTOS

firewalld.richlanguage

FIREWALLD.RICHLANG(5)					      firewalld.richlanguage					     FIREWALLD.RICHLANG(5)

NAME

       firewalld.richlanguage - Rich Language Documentation

DESCRIPTION

       With the rich language more complex firewall rules can be created in an easy to understand way. The language will use keywords with values
       and will be an abstract representation of ip*tables rules. Zones can be configured using this language, the current configuration will
       still be supported.

       The rich language extends the current zone elements (service, port, icmp-block, masquerade and forward-port) with additional source and
       destination addresses, logging, actions and limits for logs and actions.

       This page describes the rich language used in the command line client and D-Bus interface. For information about the rich language
       representation used in the zone configuration files, please have a look at firewalld.zone(5).

       A rule is part of a zone. A zone can contain several rules. If some rules interact/contradict, the first rule that matches "wins".

       General rule structure

	   rule
	     [source]
	     [destination]
	     service|port|protocol|icmp-block|masquerade|forward-port
	     [log]
	     [audit]
	     [accept|reject|drop]

       The complete rule is provided as a single line string. A destination is allowed here as long as it does not conflict with the destination
       of a service and is not allowed for masquerade at all.

       Rule structure for source black or white listing

	   rule
	     source
	     [log]
	     [audit]
	     accept|reject|drop

       This is used to grant or limit access from a source to this machine or machines that are reachable by this machine. A destination is not
       allowed here.

       Important information about element options: Options for elements in a rule need to be added exactly after the element. If the option is
       placed somewhere else it might be used for another element as far as it matches the options of the other element or will result in a rule
       error.

   Rule
	   rule [family="ipv4|ipv6"]

       If the rule family is provided, it can be either "ipv4" or "ipv6", which limits the rule to IPv4 or IPv6. If the rule family is not
       provided, the rule will be added for IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family need to be
       provided. This is also the case for port/packet forwarding.

   Source
	   source address="address[/mask]" [invert="True"]

       With the source address the origin of a connection attempt can be limited to the source address. A source address or address range is
       either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be automatically discovered.
       For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported. It
       is possible to invert the sense of an address by adding invert="true" or invert="yes". All but the used address with match.

   Destination
	   destination address="address[/mask]" invert="True"

       With the destination address the target can be limited to the destination address. The destination address is using the same syntax as the
       source address.

       The use of source and destination addresses is optional and the use of a destination addresses is not possible with all elements. This
       depends on the use of destination addresses for example in service entries.

   Service
	   service name="service name"

       The service service name will be added to the rule. The service name is one of the firewalld provided services. To get a list of the
       supported services, use firewall-cmd --get-services.

       If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The
       services using destination addresses internally are mostly services using multicast.

   Port
	   port port="port value" protocol="tcp|udp"

       The port port value can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp.

   Protocol
	   protocol value="protocol value"

       The protocol value can be either a protocol id number or a protocol name. For allowed protocol entries, please have a look at
       /etc/protocols.

   ICMP-Block
	   icmp-block name="icmptype name"

       The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types: firewall-cmd --get-icmptypes

       It is not allowed to specify an action here. icmp-block uses the action reject internally.

   Masquerade
	   masquerade

       Turn on masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address.

       It is not allowed to specify an action here.

   Forward-Port
	   forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"

       Forward port/packets from local port value with protocol "tcp" or "udp" to either another port locally or to another machine or to another
       port on another machine.

       The port value can either be a single port number or a port range portid-portid. The destination address is an IP address.

       It is not allowed to specify an action here. forward-port uses the action accept internally.

   Log
	   log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]

       Log new connection attempts to the rule with kernel logging for example in syslog. You can define a prefix text that will be added to the
       log message as a prefix. Log level can be one of "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug". See syslog(3)
       for description of levels.

       It is possible to limit logging: The rate is a natural positive number [1, ..], the duration is of "s", "m", "h", "d". "s" means seconds,
       "m" minutes, "h" hours and "d" days. The maximum limit value is "1/d" which means at maximum one log entry per day.

   Audit
       Audit provides an alternative way for logging using audit records sent to the service auditd. The audit type will be discovered from the
       rule action automatically. The use of audit is optional.

       Also audit can be limited using the limit tag.

   Action
       An action can be one of accept, reject or drop.

       The rule can either contain an element or also a source only. If the rule contains an element, then new connection matching the element
       will be handled with the action. If the rule does not contain an element, then everything from the source address will be handled with the
       action.

	   accept | reject [type="reject type"] | drop

       With accept all new connection attempts will be granted. With reject they will not be accepted and there source will get a reject message.
       The reject type can be set to use an other value. For valid reject types see --reject-with type in iptables-extensions(8) man page. Because
       reject types are different for IPv4 and IPv6 you have to specify rule family when using reject type. With drop all packets will be dropped
       immediately, there is no information sent to the source.

       Also an action can be limited using the limit tag.

   Information about logging and actions
       Logging can be done with the log and also with audit. A new chain is added to all zones: zone_log. This will be jumped into before the deny
       chain to be able to have a proper ordering.

       The rules or parts of them are placed in separate chains according to the action of the rule:

	   zone_log
	   zone_deny
	   zone_allow

       Then all logging rules will be placed in the zone_log chain, which will be walked first. All reject and drop rules will be placed in the
       zone_deny chain, which will be walked after the log chain. All accept rules will be placed in the zone_allow chain, which will be walked
       after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.

EXAMPLES

       These are examples of how to specify rich language rules. This format (i.e. one string that specifies whole rule) uses for example
       firewall-cmd --add-rich-rule (see firewall-cmd(1)) as well as D-Bus interface.

   Example 1
       Enable new IPv4 and IPv6 connections for protocol 'ah'

	   rule protocol value="ah" accept

   Example 2
       Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using audit

	   rule service name="ftp" log limit value="1/m" audit accept

   Example 3
       Allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog

	   rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept

   Example 4
       New IPv6 connections from 1:2:3:4:6:: to service radius are all rejected and logged at a rate of 3 per minute. New IPv6 connections from
       other sources are accepted.

	   rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
	   rule family="ipv6" service name="radius" accept

   Example 5
       Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012

	   rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"

   Example 6
       White-list source address to allow all connections from 192.168.2.2

	   rule family="ipv4" source address="192.168.2.2" accept

   Example 7
       Black-list source address to reject all connections from 192.168.2.3

	   rule family="ipv4" source address="192.168.2.3" reject type="icmp-admin-prohibited"

   Example 8
       Black-list source address to drop all connections from 192.168.2.4

	   rule family="ipv4" source address="192.168.2.4" drop

SEE ALSO

       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
       firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
       firewalld.zones(5)

NOTES

       firewalld home page at fedorahosted.org:
	   http://fedorahosted.org/firewalld/

       More documentation with examples:
	   http://fedoraproject.org/wiki/FirewallD

AUTHORS

       Thomas Woerner <twoerner@redhat.com>
	   Developer

       Jiri Popelka <jpopelka@redhat.com>
	   Developer

firewalld 0.3.9 													     FIREWALLD.RICHLANG(5)
All times are GMT -4. The time now is 06:28 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy