How can I configure firewalld to share a single interface with multiple zones?
CentOS 7
I have two zones (home and public). I'd like to allow SSH from my home but not from public.
[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?
I thought it might be as simple as just adding an interface but I get an error:
[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0
centos firewalld
add a comment |
CentOS 7
I have two zones (home and public). I'd like to allow SSH from my home but not from public.
[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?
I thought it might be as simple as just adding an interface but I get an error:
[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0
centos firewalld
Possibly related: Whitelist source IP addresses in CentOS 7
– fra-san
Feb 19 at 20:44
add a comment |
CentOS 7
I have two zones (home and public). I'd like to allow SSH from my home but not from public.
[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?
I thought it might be as simple as just adding an interface but I get an error:
[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0
centos firewalld
CentOS 7
I have two zones (home and public). I'd like to allow SSH from my home but not from public.
[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?
I thought it might be as simple as just adding an interface but I get an error:
[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0
centos firewalld
centos firewalld
asked Jul 26 '18 at 15:18
Mike BMike B
3,239195577
3,239195577
Possibly related: Whitelist source IP addresses in CentOS 7
– fra-san
Feb 19 at 20:44
add a comment |
Possibly related: Whitelist source IP addresses in CentOS 7
– fra-san
Feb 19 at 20:44
Possibly related: Whitelist source IP addresses in CentOS 7
– fra-san
Feb 19 at 20:44
Possibly related: Whitelist source IP addresses in CentOS 7
– fra-san
Feb 19 at 20:44
add a comment |
1 Answer
1
active
oldest
votes
I only have one interface
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
Yes.
I thought it might be as simple as just adding an interface but I get an error
Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458637%2fhow-can-i-configure-firewalld-to-share-a-single-interface-with-multiple-zones%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I only have one interface
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
Yes.
I thought it might be as simple as just adding an interface but I get an error
Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.
add a comment |
I only have one interface
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
Yes.
I thought it might be as simple as just adding an interface but I get an error
Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.
add a comment |
I only have one interface
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
Yes.
I thought it might be as simple as just adding an interface but I get an error
Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.
I only have one interface
Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.
Yes.
I thought it might be as simple as just adding an interface but I get an error
Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.
answered Feb 19 at 18:46
sourcejedisourcejedi
24.8k441107
24.8k441107
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458637%2fhow-can-i-configure-firewalld-to-share-a-single-interface-with-multiple-zones%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Possibly related: Whitelist source IP addresses in CentOS 7
– fra-san
Feb 19 at 20:44