26 Apr
2023
26 Apr
'23
09:17
On Wed, Apr 26, 2023 at 9:46 AM Per Jessen <per@opensuse.org> wrote:
It seems that:
services: dns http https mountd nfs nfs3 ntp rpc-bind ssh
takes precedence over the rich rule denying packets via router.
Aha, okay. (I didn't know the meaning of that line).
Yes, rich rules with positive priorities are ordered after all other automatically generated rules. So the rule to allow connection to ssh port wins. Which is exactly what has been requested - SSH had to be open to the Internet.
(Can I write comments in xml file /etc/firewalld/zones/external.xml?)
Yes, use "<!-- comment -->". Can span multiple lines.
These files are modified by GUI and CLI so I am not sure these comments will be preserved.