Firewalld Zones Internal Rules Allowing Traffic Through
by metallica1973 from LinuxQuestions.org on (#5F2KE)
Linux Gods,
Here is my basic firewalld zones and rules:
PHP Code: public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: weave
sources: 192.168.9.146/32 192.168.8.140/32
services: dhcpv6-client mdns ssh
ports: 1-65535/tcp 1-65535/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
My intention is to only allow (dhcpv6-client https ssh) through to the backend internal zone blocking everything else keeping internal communications to continue on the backend. In two test labs, it works and traffic in being blocked which I can see when I run nmap against it. But when the sec guys run their Nessus scans from their scanner/nodes, its seeing TCP:10250 (Kubernetes) port as being exposed. I cannot understand why traffic is being allowed through my "public" zone to my "internal" zone (TCP:10250) outside of what I have specified. Any clarification would be greatly appreciated
Here is my basic firewalld zones and rules:
PHP Code: public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: weave
sources: 192.168.9.146/32 192.168.8.140/32
services: dhcpv6-client mdns ssh
ports: 1-65535/tcp 1-65535/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
My intention is to only allow (dhcpv6-client https ssh) through to the backend internal zone blocking everything else keeping internal communications to continue on the backend. In two test labs, it works and traffic in being blocked which I can see when I run nmap against it. But when the sec guys run their Nessus scans from their scanner/nodes, its seeing TCP:10250 (Kubernetes) port as being exposed. I cannot understand why traffic is being allowed through my "public" zone to my "internal" zone (TCP:10250) outside of what I have specified. Any clarification would be greatly appreciated