How can I configure firewalld to share a single interface with multiple zones?












1















CentOS 7



I have two zones (home and public). I'd like to allow SSH from my home but not from public.



[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:


Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.



I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?



I thought it might be as simple as just adding an interface but I get an error:



[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0









share|improve this question























  • Possibly related: Whitelist source IP addresses in CentOS 7

    – fra-san
    Feb 19 at 20:44
















1















CentOS 7



I have two zones (home and public). I'd like to allow SSH from my home but not from public.



[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:


Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.



I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?



I thought it might be as simple as just adding an interface but I get an error:



[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0









share|improve this question























  • Possibly related: Whitelist source IP addresses in CentOS 7

    – fra-san
    Feb 19 at 20:44














1












1








1


0






CentOS 7



I have two zones (home and public). I'd like to allow SSH from my home but not from public.



[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:


Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.



I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?



I thought it might be as simple as just adding an interface but I get an error:



[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0









share|improve this question














CentOS 7



I have two zones (home and public). I'd like to allow SSH from my home but not from public.



[root@foobox ~]# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 1.2.3.4
services: ssh https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@foobox~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply
rich rules:


Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.



I only have one interface and don't want to create a dual-homed setup... so how can I tell firewall-cmd "if the remote client is coming from 1.2.3.4 use the home zone... if it's any other remote source IP, use the public zone"?



I thought it might be as simple as just adding an interface but I get an error:



[root@foobox ~]# firewall-cmd --permanent --zone=public --add-interface=eth0
Error: ZONE_CONFLICT: eth0






centos firewalld






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 26 '18 at 15:18









Mike BMike B

3,239195577




3,239195577













  • Possibly related: Whitelist source IP addresses in CentOS 7

    – fra-san
    Feb 19 at 20:44



















  • Possibly related: Whitelist source IP addresses in CentOS 7

    – fra-san
    Feb 19 at 20:44

















Possibly related: Whitelist source IP addresses in CentOS 7

– fra-san
Feb 19 at 20:44





Possibly related: Whitelist source IP addresses in CentOS 7

– fra-san
Feb 19 at 20:44










1 Answer
1






active

oldest

votes


















0















I only have one interface



Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.




Yes.




I thought it might be as simple as just adding an interface but I get an error




Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458637%2fhow-can-i-configure-firewalld-to-share-a-single-interface-with-multiple-zones%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0















    I only have one interface



    Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.




    Yes.




    I thought it might be as simple as just adding an interface but I get an error




    Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.






    share|improve this answer




























      0















      I only have one interface



      Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.




      Yes.




      I thought it might be as simple as just adding an interface but I get an error




      Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.






      share|improve this answer


























        0












        0








        0








        I only have one interface



        Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.




        Yes.




        I thought it might be as simple as just adding an interface but I get an error




        Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.






        share|improve this answer














        I only have one interface



        Since there's no interface or source associated with the public zone, I suspect that everything is matching home and using that.




        Yes.




        I thought it might be as simple as just adding an interface but I get an error




        Remove the eth0 interface from the home zone. Then you will be able to add it to the public zone, without any error.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 19 at 18:46









        sourcejedisourcejedi

        24.8k441107




        24.8k441107






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f458637%2fhow-can-i-configure-firewalld-to-share-a-single-interface-with-multiple-zones%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀