Firewalld: only allowing SSH from specific IP does not work

I am trying to use Firewalld to restrict access to/from a Linux server

Environment:
a) the Linux server has a single network interface: ens160

Requirements:
a) It shall allow only machines with IP addresses 192.168.3.0/24 to be able to connect using SSH to this Linux server
b) It shall allow this Linux server only to be able to connect using SSH to IP addresses 192.168.3.0/24
c) None of the other IP addresses or services (including Ping) should be able to connect/reach to this Linux server
d) This Linux server should not be able to connect/reach other IP addresses or services (including Ping).

Configurations made (right after firewalld installation, and to my best knowledge firewalld blocks all connections by default):
a) sudo firewall-cmd --set-default-zone=internal
b) sudo firewall-cmd --zone=internal --add-interface=ens160 –permanent
c) sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" source address="192.168.3.0/24" service name="ssh" accept'

Configurations status:
user@server:~$ sudo firewall-cmd --list-all

internal (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.3.0/24" service name="ssh" accept
user@server:~$

Verification results:
It works on some aspects:
a) IP addresses 192.168.2.0/24 cannot use SSH to connect to the Linux server.

It does not seem to work on other aspects:
a) IP addresses 192.168.2.0/24 can ping the Linux server (which is not expected as none of the other IP addresses or services (including Ping) should be able to connect/reach to this server)
b) the Linux server can ping google.com (which is not expected as this Linux server should not be able to connect/reach other IP addresses or services (including Ping)).

Can someone help me out here? Much appreciated.


The "ping" is ICMP echo (RFC 792). You haven't set any ICMP blocks:

internal (active)
icmp-blocks:

Try e.g.

firewall-cmd --zone=internal --add-icmp-block={echo-request,echo-reply}