Trying to self-train on firewalld I set up apache and configured the zones as follows:
My expected result is that traffic from the hypervisor would match the "work" zone and since http isn't allowed for that zone for it to be dropped. However I'm still able to get to the web page from there:
I know the traffic is matching the "public" zone because removing the "http" and "https" services causes web traffic to stop and adding them back to the public zone restores service while making the same modifications on the "work" zone does nothing.
I'm sure it's a failure of my understanding but I can't spot it.
UPDATE:
Still having this issue. If I remove the interface from public and add it to work it starts to work but that's likely because all ens3 traffic will be going to that zone now. I did a iptable -Z to zero out the packet counts and did verify that the chains associated with the public zone are getting the packets.
Interestingly, if I do the --add-source so that it adds the traffic to the drop or block zones it works how I would expect (traffic is dropped/rejected regardless of what services are configured on the public zone).
Aucun commentaire:
Enregistrer un commentaire