Results 1 to 10 of 10

Thread: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

  1. #1
    Join Date
    Jan 2013
    Beans
    13

    Question 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    So as the title suggests.. I'm working on configuring firewalld for a work server, I want to allow SSH and SNMP from one specific hosts, and subnets. But allow HTTPS from anywhere on a server with one 1 network interface.

    At first I went with two customs zones: First with 'source addresses' specified, and the services 'ssh' and 'snmp' only. The second zone with 0.0.0.0/0 HTTPS.. and neither with the interface added (assuming both would use the system default)
    Well turns out I was still SSHing from hosts outside the allowed sources.

    So under the guidance of another random youtuber I went to 1 zone, 'work_int' and here's it's current config:

    Code:
    work_int (active)
      target: ACCEPT
      icmp-block-inversion: no
      interfaces: ens192
      sources:
      services:
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
    	rule family="ipv4" source address="0.0.0.0/0" service name="https" log prefix="HTTPS-FLS" level="info" accept
    	rule family="ipv4" source address="10.100.160.57/32" port port="22" protocol="tcp" log prefix="SSH Access" level="info" accept
    	rule family="ipv4" source address="10.211.55.0/24" port port="22" protocol="tcp" log prefix="SSH Access Blocked" level="warning" reject
    Now to be honest I'm struggling here because I can still SSH from a host with an address of 10.211.55.23.. well that's not the struggle. The struggle is understanding if I should say Deny or %%Reject%% everything at the Target level or not. I'm really, very lost by now.. I've read so many 'configuring firewalld' articles and seen so many videos that I'm completely turned around.

    After reading another question in here I went looking directly at iptables and WOW!! Just like ufw, fwD creates a ton of noise rules:

    Code:
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
     6930 1309K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT
      333 25925 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
      211 35416 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FINAL_REJECT: "
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FINAL_REJECT: "
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    
    Chain OUTPUT (policy ACCEPT 7052 packets, 1109K bytes)
     pkts bytes target     prot opt in     out     source               destination
      982 98307 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
     7052 1109K OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FORWARD_IN_ZONES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 FWDI_work_int  all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           [goto]
        0     0 FWDI_work_int  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]
    
    
    Chain FORWARD_OUT_ZONES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 FWDO_work_int  all  --  *      ens192  0.0.0.0/0            0.0.0.0/0           [goto]
        0     0 FWDO_work_int  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto]
    
    
    Chain FORWARD_direct (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_int (2 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 FWDI_work_int_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDI_work_int_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDI_work_int_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDI_work_int_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDI_work_int_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDI_work_int_allow (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_int_deny (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_int_log (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_int_post (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_int_pre (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_int (2 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 FWDO_work_int_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDO_work_int_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDO_work_int_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDO_work_int_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 FWDO_work_int_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDO_work_int_allow (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_int_deny (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_int_log (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_int_post (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_int_pre (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain INPUT_ZONES (1 references)
     pkts bytes target     prot opt in     out     source               destination
      211 35416 IN_work_int  all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           [goto]
        0     0 IN_work_int  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]
    
    
    Chain INPUT_direct (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain IN_work_int (2 references)
     pkts bytes target     prot opt in     out     source               destination
      211 35416 IN_work_int_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 IN_work_int_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 IN_work_int_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 IN_work_int_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      205 35056 IN_work_int_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      205 35056 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain IN_work_int_allow (1 references)
     pkts bytes target     prot opt in     out     source               destination
        6   360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED
        0     0 ACCEPT     tcp  --  *      *       10.100.160.57        0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    
    
    Chain IN_work_int_deny (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 REJECT     tcp  --  *      *       10.211.55.0/24       0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
    
    
    Chain IN_work_int_log (1 references)
     pkts bytes target     prot opt in     out     source               destination
        6   360 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'HTTPS-FLS'"
        0     0 LOG        tcp  --  *      *       10.100.160.57        0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'SSH Access'"
        0     0 LOG        tcp  --  *      *       10.211.55.0/24       0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED LOG flags 0 level 4 prefix "'SSH Access Blocked'"
    
    
    Chain IN_work_int_post (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain IN_work_int_pre (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain OUTPUT_direct (1 references)
     pkts bytes target     prot opt in     out     source               destination
    Thanks for any help!!

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,083
    Distro
    Ubuntu Development Release

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Your iptables rule set listed contains a lot stuff that I have never seen before.
    Regardless, and based on the packet counters it never seems to hit your ssh deny rule, and therefore falls through to ACCEPT.

    Code:
     pkts bytes target     prot opt in     out     source               destination
      211 35416 IN_work_int_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 IN_work_int_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 IN_work_int_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      211 35416 IN_work_int_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      205 35056 IN_work_int_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
      205 35056 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain IN_work_int_allow (1 references)
     pkts bytes target     prot opt in     out     source               destination
        6   360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED
        0     0 ACCEPT     tcp  --  *      *       10.100.160.57        0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    
    
    Chain IN_work_int_deny (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 REJECT     tcp  --  *      *       10.211.55.0/24       0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
    From this I would guess that your client's IP address is not actually 10.211.55.23. Might your client computer IP be NAT'd somewhere between it and the server? i.e. does it traverse a router?

    Oh, on the subject of "DROP" or "REJECT": That subject is an old one and people have differing opinions. I "DROP".
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  3. #3
    Join Date
    Jan 2013
    Beans
    13

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Thanks Doug! So honestly I played a bit with UFW before I decided to go the FwD route. Would it be helpful to blow away all of this and start over fresh?

    So about the 10.211 host.. you were right. I was overlooking the VPN ip on this guy. It's a local parallels Win10 guest and I guess I just glossed over the correct address, but that makes me think now. Why was it accepted when I'm trying to block everything except the 10.100.160.57 host? Do I need to set the target for this zone to Drop/Reject?

  4. #4
    Join Date
    Jan 2013
    Beans
    13

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    So correcting the Ip of my test guest worked! It was dropped and the connection request timed out. So this is awesome! Now.. one of the video I watched the guy said that if there were no services added to a zone.. and no source address entries, and no ports, no protocols, etc. That that means the zone would not respond to any requests. So that's why I listed none, but instead went for the rich rules.

  5. #5
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,083
    Distro
    Ubuntu Development Release

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Quote Originally Posted by Roccor View Post
    So honestly I played a bit with UFW before I decided to go the FwD route. Would it be helpful to blow away all of this and start over fresh?
    I don't know what to say. I prefer iptables directly myself, and find the various front ends, well, annoying. However, many like ufw or firewalld.

    Quote Originally Posted by Roccor View Post
    So about the 10.211 host.. you were right. I was overlooking the VPN ip on this guy. It's a local parallels Win10 guest and I guess I just glossed over the correct address, but that makes me think now. Why was it accepted when I'm trying to block everything except the 10.100.160.57 host? Do I need to set the target for this zone to Drop/Reject?
    Then your rule should be 0.0.0.0/0, intsead of 10.211.55.0/24. The previous ACCEPT rule will still allow 10.100.160.57/32, but thereafter anything else to port 22 gets blocked.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  6. #6
    Join Date
    Jan 2013
    Beans
    13

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Morning Doug! Thanks for staying with me so far. So late last night after I got the single zone to work I moved to checking LogicMonitor to verify it could still access this server. I'll admit.. I got anxious and fell down a rabbit hole on whether or not I should have multiple zones for this scenario. Since I have the single working zone documented I blew it up and created another HTTPS focused zone. Moved the HTTPS service to it, and created a pair of ipsets to handle both it and the large number of SSH subnets I needed to allow.
    So right now I've got the work_int zone without a set interface but with the source:ipset:ssh_allowed
    Then the second zone A_jetbrains also without an interface but with source: 0.0.0.0/0. (I read how possibly the naming of the zone can affect their processing order, hence the 'A_')

    Code:
    work_int (active)
      target: DROP
      icmp-block-inversion: no
      interfaces:
      sources: ipset:ssh_allowed
      services:
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
        rule family="ipv4" source address="10.100.160.57/32" port port="22" protocol="tcp" log prefix="SSH Access" level="info" accept
        rule source ipset="ssh_allowed" service name="ssh" log prefix="SSH Access" level="info" accept
    Code:
    A_jetbrains (active)
      target: ACCEPT
      icmp-block-inversion: no
      interfaces:
      sources: 0.0.0.0/0
      services: https
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
    Except now, I'm allowed to SSH from my parallels guest again. If I was matching on A_jetbrains SSH should not be allowed because the only service is HTTPS. Then on the work_int.. only the ipset and the 1 .57 host should be allowed to SSH. So I guess I'm back to square one.

  7. #7
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,083
    Distro
    Ubuntu Development Release

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    I can not help with, I assume, the Firewalld rules you have listed. I only know iptables, and struggle with front end program (UFW, Firewalld) generated iptables rule sets. If you post the resulting iptables rule set via "sudo iptables -xvnL", I'll have a look.
    Last edited by Doug S; October 14th, 2021 at 03:11 PM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  8. #8
    Join Date
    Jan 2013
    Beans
    13

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Hey Doug.. Understood (and continued thanks!). So beause my boss will likely ask me about dividing the three main "uses" into their own zones. I've come up with this:


    So here's a hideously long looking iptables dump:

    Code:
    sudo iptables -xvnL
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination
        3906   947307 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT
         240    16454 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
         116    13440 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
         116    13440 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
           7      420 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FINAL_REJECT: "
           7      420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT
           0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
           0        0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FINAL_REJECT: "
           0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    
    Chain OUTPUT (policy ACCEPT 2663 packets, 505008 bytes)
        pkts      bytes target     prot opt in     out     source               destination
        1604   346249 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
        2663   505008 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FORWARD_IN_ZONES (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDI_work_ssh  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  match-set ssh_allowed src
           0        0 FWDI_lmc   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  match-set lmclnx src
           0        0 FWDI_a_jetbrains  all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           [goto]
           0        0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]
    
    
    Chain FORWARD_OUT_ZONES (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDO_work_ssh  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  match-set ssh_allowed dst
           0        0 FWDO_lmc   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  match-set lmclnx dst
           0        0 FWDO_a_jetbrains  all  --  *      ens192  0.0.0.0/0            0.0.0.0/0           [goto]
           0        0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto]
    
    
    Chain FORWARD_direct (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_a_jetbrains (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDI_a_jetbrains_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_a_jetbrains_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_a_jetbrains_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_a_jetbrains_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_a_jetbrains_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDI_a_jetbrains_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_a_jetbrains_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_a_jetbrains_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_a_jetbrains_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_a_jetbrains_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_ssh (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDI_work_ssh_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_work_ssh_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_work_ssh_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_work_ssh_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_work_ssh_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FWDI_work_ssh_DROP: "
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDI_work_ssh_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_ssh_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_ssh_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_ssh_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_work_ssh_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_lmc (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDI_lmc_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_lmc_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_lmc_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_lmc_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_lmc_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDI_lmc_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_lmc_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_lmc_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_lmc_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_lmc_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_public (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDI_public_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDI_public_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDI_public_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_public_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_public_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_public_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDI_public_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_a_jetbrains (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDO_a_jetbrains_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_a_jetbrains_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_a_jetbrains_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_a_jetbrains_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_a_jetbrains_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDO_a_jetbrains_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_a_jetbrains_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_a_jetbrains_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_a_jetbrains_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_a_jetbrains_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_ssh (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDO_work_ssh_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_work_ssh_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_work_ssh_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_work_ssh_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_work_ssh_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FWDO_work_ssh_DROP: "
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDO_work_ssh_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_ssh_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_ssh_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_ssh_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_work_ssh_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_lmc (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDO_lmc_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_lmc_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_lmc_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_lmc_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_lmc_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDO_lmc_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_lmc_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_lmc_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_lmc_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_lmc_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_public (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 FWDO_public_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 FWDO_public_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FWDO_public_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_public_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_public_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_public_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain FWDO_public_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain INPUT_ZONES (1 references)
        pkts      bytes target     prot opt in     out     source               destination
          32     1680 IN_work_ssh  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  match-set ssh_allowed src
          19     1392 IN_lmc     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  match-set lmclnx src
          65    10368 IN_a_jetbrains  all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           [goto]
           0        0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]
    
    
    Chain INPUT_direct (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_a_jetbrains (1 references)
        pkts      bytes target     prot opt in     out     source               destination
          65    10368 IN_a_jetbrains_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          65    10368 IN_a_jetbrains_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          65    10368 IN_a_jetbrains_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          57     9956 IN_a_jetbrains_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          54     9768 IN_a_jetbrains_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          54     9768 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain IN_a_jetbrains_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           3      188 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED
    
    
    Chain IN_a_jetbrains_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           8      412 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    
    
    Chain IN_a_jetbrains_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           8      412 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'SSH Blocked'"
           3      188 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'HTTPS Access'"
    
    
    Chain IN_a_jetbrains_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_a_jetbrains_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_work_ssh (1 references)
        pkts      bytes target     prot opt in     out     source               destination
          32     1680 IN_work_ssh_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          32     1680 IN_work_ssh_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          32     1680 IN_work_ssh_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          32     1680 IN_work_ssh_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          30     1560 IN_work_ssh_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          30     1560 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "IN_work_ssh_DROP: "
          30     1560 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain IN_work_ssh_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 ACCEPT     tcp  --  *      *       10.100.160.57        0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
           2      120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 match-set ssh_allowed src ctstate NEW,UNTRACKED
    
    
    Chain IN_work_ssh_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_work_ssh_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 LOG        tcp  --  *      *       10.100.160.57        0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'SSH Access'"
           2      120 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 match-set ssh_allowed src ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'SSH Access'"
    
    
    Chain IN_work_ssh_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_work_ssh_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_lmc (1 references)
        pkts      bytes target     prot opt in     out     source               destination
          19     1392 IN_lmc_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          19     1392 IN_lmc_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          19     1392 IN_lmc_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          19     1392 IN_lmc_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          17     1044 IN_lmc_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          10      624 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain IN_lmc_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:161 ctstate NEW,UNTRACKED
           2      348 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 ctstate NEW,UNTRACKED
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:161 ctstate NEW,UNTRACKED
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 ctstate NEW,UNTRACKED
    
    
    Chain IN_lmc_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_lmc_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:161 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'SNMP Access (LMC)'"
           2      348 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 ctstate NEW,UNTRACKED LOG flags 0 level 6 prefix "'SNMP Access (LMC)'"
    
    
    Chain IN_lmc_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_lmc_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_public (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 IN_public_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 IN_public_post  all  --  *      *       0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain IN_public_allow (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    
    
    Chain IN_public_deny (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_public_log (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_public_post (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain IN_public_pre (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    
    
    Chain OUTPUT_direct (1 references)
        pkts      bytes target     prot opt in     out     source               destination
    So this seems to do everything I need save one thing..

    Code:
    dmesg -T | grep -i SSH
    [Thu Oct 14 10:14:58 2021] 'SSH Access'IN=ens192 OUT= MAC=00:50:56:a0:56:17:90:77:ee:5b:b1:ff:08:00 SRC=10.103.160.180 DST=10.100.160.23 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=16375 DF PROTO=TCP SPT=49310 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
    [Thu Oct 14 10:15:03 2021] IN_work_ssh_DROP: IN=ens192 OUT= MAC=00:50:56:a0:56:17:90:77:ee:5b:b1:ff:08:00 SRC=10.101.160.180 DST=10.100.160.23 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=41662 DF PROTO=TCP SPT=43188 DPT=22 WINDOW=501 RES=0x00 ACK FIN URGP=0
    Both of those hosts are in the ipset: SSH_Allowed

    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <ipset type="hash:ip">
      <entry>10.100.160.176/29</entry>
      <entry>10.100.160.216/29</entry>
      <entry>10.101.160.176/29</entry>
      <entry>10.101.160.216/29</entry>
      <entry>10.103.160.176/29</entry>
      <entry>10.103.160.216/29</entry>
      <entry>10.30.160.176/29</entry>
      <entry>10.30.160.216/29</entry>
      <entry>10.122.160.176/29</entry>
      <entry>10.122.160.216/29</entry>
      <entry>10.121.160.176/29</entry>
      <entry>10.121.160.216/29</entry>
      <entry>10.25.160.176/29</entry>
      <entry>10.25.160.216/29</entry>
      <entry>10.180.160.176/29</entry>
      <entry>10.180.160.216/29</entry>
      <entry>10.144.160.176/29</entry>
      <entry>10.144.160.216/29</entry>
    </ipset>

    Except when I try SSHing again.. right now.. before clicking on 'submit reply' the dmesg entries are all allowed and the log prefix is 'SSH ACCESS' so I'm not sure what happened. Sorry for how big this post is.
    Last edited by Roccor; October 14th, 2021 at 04:28 PM.

  9. #9
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,083
    Distro
    Ubuntu Development Release

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Quote Originally Posted by Roccor View Post
    So this seems to do everything I need save one thing..

    Code:
    dmesg -T | grep -i SSH
    [Thu Oct 14 10:14:58 2021] 'SSH Access'IN=ens192 OUT= MAC=00:50:56:a0:56:17:90:77:ee:5b:b1:ff:08:00 SRC=10.103.160.180 DST=10.100.160.23 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=16375 DF PROTO=TCP SPT=49310 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
    [Thu Oct 14 10:15:03 2021] IN_work_ssh_DROP: IN=ens192 OUT= MAC=00:50:56:a0:56:17:90:77:ee:5b:b1:ff:08:00 SRC=10.101.160.180 DST=10.100.160.23 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=41662 DF PROTO=TCP SPT=43188 DPT=22 WINDOW=501 RES=0x00 ACK FIN URGP=0
    Both of those hosts are in the ipset: SSH_Allowed
    Yes, I do not see a problem. The first entry is just saying that the 10.103.160.180:49310 session create SYN packet was allowed, as expected.

    O.K., the second entry might have been misleading. Linux uses a half-duplex session termination sequence, as opposed to full-duplex. Meaning, it is possible that something in the chain of events might have closed and forgotten about the session prior to something else involved. The trick is to look at the TCP flags in the log entry, in this case "ACK FIN", which is related to session termination cleanup, so the log entry is actually O.K. and not a worry the 10.100.160.23:43188 session was actually just fine.

    Quote Originally Posted by Roccor View Post
    Except when I try SSHing again.. right now.. before clicking on 'submit reply' the dmesg entries are all allowed and the log prefix is 'SSH ACCESS' so I'm not sure what happened. Sorry for how big this post is.
    I'm not following. Are you saying SSH sessions that should have been blocked were allowed? If yes, please give some example log entries.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  10. #10
    Join Date
    Jan 2013
    Beans
    13

    Re: 20.04LTS: Firewalld, default zone set to block SSH, but doesn't

    Hey Doug, So yeah that last bit. I encountered those dmesg 'reject's like literally a minute before I posted that. So, in the end the three zones are working. Before I posted the first question here, I did throw up a similar question in the #FirewallD IRC channel. The sole maintainer of this project helped me out on a couple questions. But The two of you combined got my firewall...firewalling. Right now everything works, and ive got a request into Infosec to scan this server to prove it's good

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •