5
最近在學 rhel7,對於新的 firewalld 觀念,教材上有一段敘述是這樣的:
Every packet that comes into the system will first be checked for its source address. If that soruce address is tied to a specific zone, the rules for that zone will be parsed. If the source address is not tied to a zone, the zone for the incoming network interface wil be used. If the network interface is not associated with a zone for some reason, the default zone will be used. The default zone is not a separate zone itself; it is one of the other zones.
public zone 是預設的 zone,現在我在 work zone 裡加上一來源網路段:
# firewall-cmd --add-source=192.168.1.0/24 --zone=work --permanent
接著將 ssh 服務從 work zone 中移除:
# firewall-cmd --remove-service=ssh --zone=work --permanent
# systemctl restart firewalld
最後做個檢視:
# firewall-cmd --list-all-zones
public (default, active)
interfaces: enp0s3
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
work
interfaces:
sources: 192.168.1.0/24
services: dhcpv6-client ipp-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
結果我從client 端用 ssh 連 server 還是可以連。
若按照原文的說法,若來源端符合該 zone 時,會以此 zone 裡的規則做比對,所以應該是以 work zone 為主,但 work zone 中並無 ssh 服務,所以client 應該無法 ssh 連進來不是嗎?
還是我觀念有問題呢?