The target setup is the following: I want to restrict ssh access to the server to a specific IP, and allow the http service to all. Now, to start from "scratch" I defined a new zone which I called "custom" and set it is as the default one. This is its current status:
custom (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: http
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
To allow only the 192.168.122.1 IP to access the SSH service I created another zone, which I called "limited-ssh":
limited-ssh (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 192.168.122.1
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
These interfaces are the only active ones:
custom
interfaces: enp1s0
limited-ssh
sources: 192.168.122.1
While this works, in the sense that only the specified IP is able to ssh into the machine, the same IP cannot access the http service. I guess it is because the "source" zone is processed before the "interface" zone. How can I restrict SSH access AND allow that IP to access the HTTP service (and all the other services in the "custom" zone)? Should I use a direct rule? I presume that if I add the http service to the limited-ssh zone it would work, but it would be repetitive and would quickly become a mess.
