Firewalld: only allowing SSH from specific IP does not work

firewalld

I am trying to use Firewalld to restrict access to/from a Linux server

Environment:
a) the Linux server has a single network interface: ens160

Requirements:
a) It shall allow only machines with IP addresses 192.168.3.0/24 to be able to connect using SSH to this Linux server
b) It shall allow this Linux server only to be able to connect using SSH to IP addresses 192.168.3.0/24
c) None of the other IP addresses or services (including Ping) should be able to connect/reach to this Linux server
d) This Linux server should not be able to connect/reach other IP addresses or services (including Ping).

Configurations made (right after firewalld installation, and to my best knowledge firewalld blocks all connections by default):
a) sudo firewall-cmd --set-default-zone=internal
b) sudo firewall-cmd --zone=internal --add-interface=ens160 –permanent
c) sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" source address="192.168.3.0/24" service name="ssh" accept'

Configurations status:
user@server:~$ sudo firewall-cmd --list-all

internal (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.3.0/24" service name="ssh" accept
user@server:~$

Verification results:
It works on some aspects:
a) IP addresses 192.168.2.0/24 cannot use SSH to connect to the Linux server.

It does not seem to work on other aspects:
a) IP addresses 192.168.2.0/24 can ping the Linux server (which is not expected as none of the other IP addresses or services (including Ping) should be able to connect/reach to this server)
b) the Linux server can ping google.com (which is not expected as this Linux server should not be able to connect/reach other IP addresses or services (including Ping)).

Can someone help me out here? Much appreciated.


The "ping" is ICMP echo (RFC 792). You haven't set any ICMP blocks:

internal (active)
icmp-blocks:

Try e.g.

firewall-cmd --zone=internal --add-icmp-block={echo-request,echo-reply}

Related

How can I delete an outgoing trust on Windows Server when an internal error occurs?
Why do some wildcard certificates have asterisk in subject field and some not?
Styling part of label in legend in matplotlib
Error: MapFragment cannot be cast to android.support.v4.app.Fragment
node.js /socket.io/socket.io.js not found
structured binding with [[maybe_unused]]
How to disable double click zoom for d3.behavior.zoom?
How to check if file exists in a Windows Store App?
SSRS 2008 - Dealing with division by zero scenarios
Incorrect syntax near ''
Renaming foreign-key columns in MySQL
What is the short cut in eclipse to terminate debugging/running?