1

I have a centos 7.1 and firewalld installed.

There are 4 distinct services on that server: mysqld, mongod, jabberd, httpd

I need to configure that server to allow connections to jabberd and httpd from anywhere and mysqld and mongod from 2 addresses 10.0.0.1, 10.0.0.2

At the moment the public zone is active and default, bond interface is assigned here. httpd and jabberd are there and everything is working.

I have tried creating my own zone with specific sources and mongod/mysqld. I have also tried adding that to existing "trusted"/"internal" zones. But services are not reachable in this way. The only way to reach those services is to add them to "public".

I even tried to add rich rules to that public zone to allow those services from specific addresses. Still fails.

t1nkerer
  • 21

1 Answers1

2

Zones are defined by interface, source address, or both. This is the most confusing part of firewalld, but once you get it everything else is pretty easy.

What you want to do is define a completely new zone, set the source addresses on that zone, then open the destination ports on that zone that those source addresses should reach.

For ports that should be open to anywhere, it's fine to add them to the existing public zone.

Michael Hampton
  • 247,473
  • I have things like this:

    public (default, active) interfaces: bond0 enp2s0f0 enp2s0f1 sources: services: dhcpv6-client ssh ports: 5223/tcp 80/tcp 5280/tcp 11211/tcp 3306/tcp 27017/tcp 5269/tcp 5222/tcp masquerade: no forward-ports: icmp-blocks: rich rules:

    servers interfaces: sources: 127.0.0.1/32 192.168.0.5/32 192.168.0.4/32 192.168.0.6/32 services: ports: 3306/tcp 27017/tcp 11211/tcp masquerade: no forward-ports: icmp-blocks: rich rules:

    If I remove 27017 or 3306 or 11211 from public they become unreachable from any of the IPs listed in "servers" zone.

     – t1nkerer Jun 04 '15 at 11:47
  • Hi Michael - Can you please share an example of creating a zone defined by source addresses? Every example in the documentation only shows creating a zone with interfaces. – ArtOfWarfare Dec 22 '15 at 15:59
  • 2
    @ArtOfWarfare firewall-cmd --new-zone=myzone; firewall-cmd --zone=myzone --add-source=203.0.113.0/24 – Michael Hampton Dec 22 '15 at 16:14