Results 1 to 3 of 3

Thread: Which Firewall Zone for ssh?

  1. #1
    Join Date
    Oct 2008
    Location
    Stuttgart, Germany
    Posts
    65

    Default Which Firewall Zone for ssh?

    I have two computers running OpenSuse linux named linux5 and linux6. They are connected via a Fritzbox. I just installed Leap 15.3 on linux6. I enabled the sshd in the Services Manager and then checked the firewall settings. 'ssh' was added to several zones, but not all.

    I then tried to ssh from linux5 to linux6, but got a "no route to host" error. I checked with ss and lsof that the post 22 is indeed open. pinging linux6 from linux5 was possible.

    When I shut down the firewall on linux6, I could connect via ssh from linux5 without any problem. I then added ssh to almost all zones and it still works.

    I'm wondering which zones I really need to open. Is there an easy way to find out?

  2. #2
    Join Date
    Sep 2012
    Posts
    8,033

    Default Re: Which Firewall Zone for ssh?

    Quote Originally Posted by stephanhh View Post
    I'm wondering which zones I really need to open.
    You do not "open zone". Zone is simply a collection of rules (including ports/services that should be open). To actually use these rules you need to assign zone to interface; then traffic through this interface will be subject to rules in this zone.
    Is there an easy way to find out?
    Of course - you check configuration of zone assigned to your interface. You as administrator of your system are responsible for deciding which zone is used for which interface. You can check default zone with "firewall-cmd --get-default-zone" and you can check zone currently associated with interface with "firewall-cmd --get-zone-of-interface=interface-name"

  3. #3

    Default Re: Which Firewall Zone for ssh?

    Unless you've made some significant modifications to your firewall, your default zone is probably going to be "public".

    You can find which zone is set as your default by running the following command as root.
    Code:
    firewall-cmd --get-default-zone
    assuming your default zone is public, you can loot at which ports and services it permits by running the following command as root.
    Code:
    firewall-cmd --info-zone=public
    if you find that the ssh service is not present in your public zone, then you can add it by running the following command as root.
    Code:
    firewall-cmd --zone=public --permanent --add-service=ssh
    Edit: Forgot to add that you'll need to make sure to include the --permanent option in that last command to make sure that the rule persists after the firewall has been reloaded.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •