I'm running the latest version of CentOS 7 (kernel version 3.10.0-1062.4.1.el7.x86_64) I have specified a custom firewalld zone, in which I have specified a port and a source ipset. I am expecting that both of these criteria should be applied. However, I am able to connect to the system (from an allowed source IP), but from a different port. Is this how the zone configuration is supposed to work?
Here is my zone config:
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
<port port="8080" protocol="tcp"/>
<source ipset="authorized-ips"/>
</zone>
Here is my ipset config:
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<!-- Bob's system -->
<entry>192.168.123.123</entry>
<!-- Bill's system -->
<entry>192.168.123.124</entry>
</ipset>
If I connect using port 8008 or 8009, then I am still able to access the application via apache. But I have not explicitly allowed these ports through the firewall!
The output of running: firewall-cmd --list-all --zone=ACCEPT
Error: INVALID_ZONE: ACCEPT
It's unusual to edit firewalld this way. Can you post output from
firewall-cmd --list-all --zone=ACCEPT- this way we'd know how your config was parsed and implemented by the daemon.