Closed christianhilbrands closed 4 years ago
Hard to tell what was wrong as you didn't provide samples. However, you would likely need to modify your default zone to drop all, and add a zone which allows from given ip addresses.
If you have Red Hat subscription, read this:
If not, try this: https://unix.stackexchange.com/questions/159873/whitelist-source-ip-addresses-in-centos-7
Thanks for the comment, i already have changed the podman playbook so that the ports get to a different zone. I think i need to set the default zone to drop(i have not tried that yet). But i think i am going to setup a new awx with version 13 where i will add that what you mentioned.
May I can cite something I discussed in May on the podman mailing list here
Thanks for pointing that out. When changing the default policy to DROP (using iptables -P FORWARD DROP) the traffic is blocked as expected. Using iptables is deprecated in RHEL/CentOS 8 and unfortunately the default policy for firewalld is hard-wired to ACCEPT as it has another concept of using zones which I tried without success in this use-case so far. Note: The CNI is added to trusted zone by default.
I think I’ll stick to the approach not publishing any services to all interfaces which should not be exposed world-wide. When using this internally I can still bind to loopback (127.0.0.1) and use ssh-tunnelling to get access to that service as intended.
Thus I don’t need to fiddle too much with the firewalld configs in this scenario.
Thanks a lot for your great advice. I hope this is beneficial for someone else stumbling across this.
Hope this helps
This help's a lot. Thanks for the advice @cfelder
When i run the ansible playbook to setup/modify the awx 11.2.0 the firewalld gets the config of the networkmanager. This config lets everyone in but i want to block everyone and let only a few sources in.
What i have tried so far:
It looks like the network scripts prefents me from overwriting the manual firewalld config? I read on the internet that i should try something with ifcfg-post? link: https://firewalld.org/documentation/zone/connections-interfaces-and-sources.html I don't have idea's left, maybe you have idea's?
Kind regards, Christian Hilbrands