In Firewalld we can use multiple zones for different types of traffic. For instance, we can setup an “internal” zone with our local IP addresses that are trusted, and then setup the public facing interface to the “drop” or “block” zone to block everything not from our internal network.
- Setup trusted IP addresses in the “internal” zone
- Configure services/ports that should be allowed on our “internal” zone
- Set “drop” zone as the default for all other traffic
- Reload firewall
1. Setup trusted IP addresses in “internal” zone
Add all of our trusted IP addresses to the internal zone. The following example adds all of the private IP addresses “RFC 1918” to the internal zone. Change as needed.
firewall-cmd --zone=internal --add-source=192.168.0.0/16 --add-source=172.16.0.0/12 --add-source=10.0.0.0/8 --permanent
2. Configure services/ports that should be allowed on our “internal” zone
Next we need to specify which services or ports should be accessible in our trusted zone.
Here is an example to allow https, ssh, and cockpit services
firewall-cmd --zone=internal --add-service=https --add-service=ssh --add-service=cockpit --permanent
Here is an example to allow port 8080 tcp
firewall-cmd --zone=internal --add-port=8080/tcp --permanent
3. Set “drop” zone as the default for all other traffic
The final configuration piece we need to do is set the default zone. Anything not specified in other zones will get processed by the default zone.
firewall-cmd --set-default-zone=drop
The drop zone drops everything.
4. Reload firewall
Reload the firewall with
firewall-cmd --reload
Verifying changes
Let’s verify the changes with the firewall-cmd –get-active-zones command
# firewall-cmd --get-active-zones drop interfaces: en0 internal sources: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
You can also use
firewall-cmd --list-all-zones
to list all the zones. Active zones show (active) next to them.
You can verify that your changes worked by doing an internal and external nmap scan.
If you have issues with services still being accessible from the outside, try disabling Network Manager for that specific interface
You can edit the ifcfg-eth0 file and add
NM_CONTROLLED=no