firewalld question

Posted on

Hi All,

I'm trying to reject access to port 443 from all hosts, except a few whitelisted hosts. With my firewalld configuration (shown below), for some reason, access is allowed to that port even from hosts that don't match the list of sources in the trusted zone and I'm not sure why. I would think that packets from IP addresses not in the list of sources in the trusted zone would be rejected when trying to access port 443.

Can you tell what I'm doing wrong?

Thanks!

Bill

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external (active)
target: default
icmp-block-inversion: no
interfaces: bond0 enP2p1s0f0 enP2p1s0f1 enP3p9s0f0 enP3p9s0f1 enP3p9s0f2 enP3p9s0f3
sources:
services: radius ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: 128.117.183.48 128.117.183.100 192.168.45.20 192.168.45.21 192.168.45.22 10.11.145.220 10.11.145.221 10.11.143.90 10.11.143.91 128.117.183.54 128.117.183.55 10.11.143.82 10.11.143.83 10.11.143.84 128.117.183.51 128.117.183.52 128.117.183.53 128.117.183.70 128.117.64.27 128.117.181.125 128.117.181.126 128.117.181.127 128.117.181.128 128.117.181.147 128.117.181.148 128.117.181.149 128.117.181.150 128.117.183.18 128.117.181.88 128.117.181.89
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

MG

Responses