perfsonar-user - [perfsonar-user] Restricting SSH on RHEL 7
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Josh Zenker <>
- To: "" <>
- Subject: [perfsonar-user] Restricting SSH on RHEL 7
- Date: Fri, 9 Oct 2020 15:38:00 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=temple.edu; dmarc=pass action=none header.from=temple.edu; dkim=pass header.d=temple.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZJF3rZgczxg4jBjQ49R2IM29pLlvQsrrBCxgTTdwAig=; b=Yaq0gMbyrx6rO2MXh3C3YzxPT3QzPSk/hjljfKQ1D7VGBZ1vHu8psJ58gzzY8tCc+PnSli9IjyvpZC92cOfpS0JXxmlSBBWDaVKa7l7nMDu/rlgbK5pZdpqLFEBCiLWtNr/HkxYjIWHHBQNBm8DcMueSbVkM05dkQzeWzJcT86T+XhhMjzDbeNGfK+ar085x2eE59tpedJU2tT9P5RyX6jfBYLi8DmQlWnp6++K+eknn5K7Yw3ixwykqoxwV8MydHUl2BxM91Dbfwm4WFPGmNykkWXQEy2ZcLJ+zwEIzZStSjGTl9gpsUyXfyFyuVCf8w6tm4OdPun2UY2phKrvvag==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jsWzraiCTIDFEty//wqLjDYH8WJlRD2ogPrYLsuH9bQ2rQTrvjgUH2oUu1PLmMJoxwfSHndULoEMp0rm0Uit0bFVMk+Sl8rw3yWgEbAKK2ChQusVh2up3dWw0JQ+hkDbx7yS90PtVvlHnk6mw6Qf559MtO6zm5sYK7XHpcCflv56H5ll/lRU2mHaACNLaveyjV0sO+YOCPhKBDftkLhwbw/0uaEzAF9TvDWkGOHR8QNpyl6aEtMnt4cq3faSI6jADD4cWrNrOkMHQsNc3FLcVrdkEk14nIJhaEgjKbgZnORn0zMTpKNAyp6r+WFMi9x48lumXjIYudNq92+8E/00hg==
I'm running into an annoying problem on a perfSONAR server running RHEL 7. How can I configure firewalld to only accept SSH connections from a list of allowed networks? My configuration works until perfSONAR installs an update. I read the docs and took the
suggestion of adding rich rules.
rule family="ipv4" source address="172.16.0.0/12" service name="ssh" accept
rule family="ipv4" source address="155.247.18.0/24" service name="ssh" accept
rule family="ipv4" source address="155.247.164.0/22" service name="ssh" accept
rule family="ipv4" source address="155.247.168.0/23" service name="ssh" accept
The trouble is, every time perfSONAR updates, it reinstates the following rule in the chain at a higher priority than my rich rules:
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
As a result, all SSH connections are allowed instead of limiting them to the source networks in my rich rules. I'm no firewalld expert so I could use your help. I'd be surprised if no one else has encountered this use case. What did you do?
Josh Zenker
Linux System Administrator
Temple University Network Services
Office: 215-204-1540 | Mobile: 267-507-5296
Linux System Administrator
Temple University Network Services
Office: 215-204-1540 | Mobile: 267-507-5296
- [perfsonar-user] Restricting SSH on RHEL 7, Josh Zenker, 10/09/2020
- Re: [perfsonar-user] Restricting SSH on RHEL 7, Dan Pritts, 10/09/2020
- Re: [perfsonar-user] Restricting SSH on RHEL 7, David J. Chaffin, 10/09/2020
- Re: [perfsonar-user] Restricting SSH on RHEL 7, Dan Pritts, 10/09/2020
Archive powered by MHonArc 2.6.19.