Re: [CentOS-docs] firewalld configuration for securing SSH
Thanks for the research and modification On Tue 30 Apr 2019 at 03:55, Kimberlee Integer Model < kimee.i.mo...@gmail.com> wrote: > Thibaut, I did a little more reading, and according to both > firewalld.service(5) and firewalld.org the service XML files, can only > handle source/destination/port, and cannot handle the actions to be > performed. I will update where possible to use the service files, but > log/accept limit will still need to be encoded in rich rules. > > -- Kimee > > On Mon, 2019-04-29 at 20:43 -0400, Kimberlee Integer Model wrote: > > Ah. I understand now. I was considering roughly the same, but wasn't > > sure whether that or rich rules was preferable. > > > > -- Kimee > > > > > > On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote: > > > No, I think the rules you created might have a better place in a > > > custom xml file instead of being given to firewall cmd directly :) > > > > > > On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model < > > > kimee.i.mo...@gmail.com> wrote: > > > > I'm not sure I follow, you just think the modified one should be > > > > called > > > > "ssh-custom", or you think there shouldn't be a modified service > > > > file > > > > at all? > > > > > > > > -- Kimee > > > > > > > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > > > > > Hi there, > > > > > > > > > > Wouldn't that be a better solution to create a custom xml file > > > > > to > > > > > > > > put > > > > > in /etc/firewalld and load that "ssh-custom" service instead ? > > > > > > > > > > Thanks > > > > > > > > > > On 26/04/2019, Kimberlee Integer Model > > > > > > > > > > wrote: > > > > > > Thank you, I've gone in and made the listed changes changed > > > > > > firewalld > > > > > > sections to use services instead of just port numbers. > > > > > > > > > > > > -- Kimee > > > > > > > > > > > > > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > > > > > wrote: > > > > > > > > > > > > > > > > HI all, > > > > > > > > > > > > > > > > 1st time contributor here. I was using the guide on > > > > > > > > securing > > > > > > > > SSH, > > > > > > > > and > > > > > > > > noticed that the firewall-cmd snippets for filtering by > > > > > > > > requests > > > > > > > > per > > > > > > > > time seem somewhat outdated. From what I can tell the > > > > > > > > given > > > > > > > > snippets, > > > > > > > > relay arguments directly down to iptables, and do not > > > > > > > > cover > > > > > > > > both > > > > > > > > IPv4 > > > > > > > > and v6. (and in fact when attempting to extend to v6 the > > > > > > > > firewall > > > > > > > > would > > > > > > > > fail to reload). I came up with an "all firewall-cmd" > > > > > > > > solution > > > > > > > > which > > > > > > > > I'd like to share. > > > > > > > > > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > > > > > direct > > > > > > > > rules > > > > > > > > for iptables. The code snippets in section 6 of < > > > > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH> > > > > > > > > would be > > > > > > > > changed to > > > > > > > > > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port > > > > > > > > port="22" > > > > > > > > protocol="tcp" accept limit value="4/m"' > > > > > > > > firewall-cmd --permanent --remove-service ssh > > > > > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > > > > > firewall-cmd --reload > > > > > > > > > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > > > > > > > > > Regards, > > > > > > > > Kimee > > > > > > > > > > > > > > You should be able to edit that page. Let us know if you > > > > > > > find > > > > > > > > any > > > > > > > problem. > > > > > > > > > > > > > > Akemi > > > > > > > ___ > > > > > > > CentOS-docs mailing list > > > > > > > CentOS-docs@centos.org > > > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > > > > > ___ > > > > > > CentOS-docs mailing list > > > > > > CentOS-docs@centos.org > > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > > > > > > > > > ___ > > > > > CentOS-docs mailing list > > > > > CentOS-docs@centos.org > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > ___ > > > > CentOS-docs mailing list > > > > CentOS-docs@centos.org > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > ___ > > > CentOS-docs mailing list > > > CentOS-docs@centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > https://lists.centos.org/mailman/listinfo/centos-docs >
Re: [CentOS-docs] firewalld configuration for securing SSH
Thibaut, I did a little more reading, and according to both firewalld.service(5) and firewalld.org the service XML files, can only handle source/destination/port, and cannot handle the actions to be performed. I will update where possible to use the service files, but log/accept limit will still need to be encoded in rich rules. -- Kimee On Mon, 2019-04-29 at 20:43 -0400, Kimberlee Integer Model wrote: > Ah. I understand now. I was considering roughly the same, but wasn't > sure whether that or rich rules was preferable. > > -- Kimee > > > On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote: > > No, I think the rules you created might have a better place in a > > custom xml file instead of being given to firewall cmd directly :) > > > > On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model < > > kimee.i.mo...@gmail.com> wrote: > > > I'm not sure I follow, you just think the modified one should be > > > called > > > "ssh-custom", or you think there shouldn't be a modified service > > > file > > > at all? > > > > > > -- Kimee > > > > > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > > > > Hi there, > > > > > > > > Wouldn't that be a better solution to create a custom xml file > > > > to > > > > > > put > > > > in /etc/firewalld and load that "ssh-custom" service instead ? > > > > > > > > Thanks > > > > > > > > On 26/04/2019, Kimberlee Integer Model > > > > > > > > wrote: > > > > > Thank you, I've gone in and made the listed changes changed > > > > > firewalld > > > > > sections to use services instead of just port numbers. > > > > > > > > > > -- Kimee > > > > > > > > > > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > > > > wrote: > > > > > > > > > > > > > > HI all, > > > > > > > > > > > > > > 1st time contributor here. I was using the guide on > > > > > > securing > > > > > > > SSH, > > > > > > > and > > > > > > > noticed that the firewall-cmd snippets for filtering by > > > > > > > requests > > > > > > > per > > > > > > > time seem somewhat outdated. From what I can tell the > > > > > > > given > > > > > > > snippets, > > > > > > > relay arguments directly down to iptables, and do not > > > > > > > cover > > > > > > > both > > > > > > > IPv4 > > > > > > > and v6. (and in fact when attempting to extend to v6 the > > > > > > > firewall > > > > > > > would > > > > > > > fail to reload). I came up with an "all firewall-cmd" > > > > > > solution > > > > > > > which > > > > > > > I'd like to share. > > > > > > > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > > > > direct > > > > > > > rules > > > > > > > for iptables. The code snippets in section 6 of < > > > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH> > > > > > > would be > > > > > > > changed to > > > > > > > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port > > > > > > port="22" > > > > > > > protocol="tcp" accept limit value="4/m"' > > > > > > > firewall-cmd --permanent --remove-service ssh > > > > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > > > > firewall-cmd --reload > > > > > > > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > > > > > > > Regards, > > > > > > > Kimee > > > > > > > > > > > > You should be able to edit that page. Let us know if you > > > > > > find > > > > > > any > > > > > > problem. > > > > > > > > > > > > Akemi > > > > > > ___ > > > > > > CentOS-docs mailing list > > > > > > CentOS-docs@centos.org > > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > > > ___ > > > > > CentOS-docs mailing list > > > > > CentOS-docs@centos.org > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > > > > > > ___ > > > > CentOS-docs mailing list > > > > CentOS-docs@centos.org > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > ___ > > > CentOS-docs mailing list > > > CentOS-docs@centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > ___ > > CentOS-docs mailing list > > CentOS-docs@centos.org > > https://lists.centos.org/mailman/listinfo/centos-docs > > ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] firewalld configuration for securing SSH
Ah. I understand now. I was considering roughly the same, but wasn't sure whether that or rich rules was preferable. -- Kimee On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote: > No, I think the rules you created might have a better place in a > custom xml file instead of being given to firewall cmd directly :) > > On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model < > kimee.i.mo...@gmail.com> wrote: > > I'm not sure I follow, you just think the modified one should be > > called > > "ssh-custom", or you think there shouldn't be a modified service > > file > > at all? > > > > -- Kimee > > > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > > > Hi there, > > > > > > Wouldn't that be a better solution to create a custom xml file to > > put > > > in /etc/firewalld and load that "ssh-custom" service instead ? > > > > > > Thanks > > > > > > On 26/04/2019, Kimberlee Integer Model > > > wrote: > > > > Thank you, I've gone in and made the listed changes changed > > > > firewalld > > > > sections to use services instead of just port numbers. > > > > > > > > -- Kimee > > > > > > > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > > > wrote: > > > > > > > > > > > > HI all, > > > > > > > > > > > > 1st time contributor here. I was using the guide on > > securing > > > > > > SSH, > > > > > > and > > > > > > noticed that the firewall-cmd snippets for filtering by > > > > > > requests > > > > > > per > > > > > > time seem somewhat outdated. From what I can tell the given > > > > > > snippets, > > > > > > relay arguments directly down to iptables, and do not cover > > > > > > both > > > > > > IPv4 > > > > > > and v6. (and in fact when attempting to extend to v6 the > > > > > > firewall > > > > > > would > > > > > > fail to reload). I came up with an "all firewall-cmd" > > solution > > > > > > which > > > > > > I'd like to share. > > > > > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > > > direct > > > > > > rules > > > > > > for iptables. The code snippets in section 6 of < > > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;;; > > would be > > > > > > changed to > > > > > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port > > port="22" > > > > > > protocol="tcp" accept limit value="4/m"' > > > > > > firewall-cmd --permanent --remove-service ssh > > > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > > > firewall-cmd --reload > > > > > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > > > > > Regards, > > > > > > Kimee > > > > > > > > > > You should be able to edit that page. Let us know if you find > > any > > > > > problem. > > > > > > > > > > Akemi > > > > > ___ > > > > > CentOS-docs mailing list > > > > > CentOS-docs@centos.org > > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > ___ > > > > CentOS-docs mailing list > > > > CentOS-docs@centos.org > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > > > > ___ > > > CentOS-docs mailing list > > > CentOS-docs@centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > ___ > > CentOS-docs mailing list > > CentOS-docs@centos.org > > https://lists.centos.org/mailman/listinfo/centos-docs > > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > https://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] firewalld configuration for securing SSH
No, I think the rules you created might have a better place in a custom xml file instead of being given to firewall cmd directly :) On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model < kimee.i.mo...@gmail.com> wrote: > I'm not sure I follow, you just think the modified one should be called > "ssh-custom", or you think there shouldn't be a modified service file > at all? > > -- Kimee > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > > Hi there, > > > > Wouldn't that be a better solution to create a custom xml file to put > > in /etc/firewalld and load that "ssh-custom" service instead ? > > > > Thanks > > > > On 26/04/2019, Kimberlee Integer Model > > wrote: > > > Thank you, I've gone in and made the listed changes changed > > > firewalld > > > sections to use services instead of just port numbers. > > > > > > -- Kimee > > > > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > > wrote: > > > > > > > > > > HI all, > > > > > > > > > > 1st time contributor here. I was using the guide on securing > > > > > SSH, > > > > > and > > > > > noticed that the firewall-cmd snippets for filtering by > > > > > requests > > > > > per > > > > > time seem somewhat outdated. From what I can tell the given > > > > > snippets, > > > > > relay arguments directly down to iptables, and do not cover > > > > > both > > > > > IPv4 > > > > > and v6. (and in fact when attempting to extend to v6 the > > > > > firewall > > > > > would > > > > > fail to reload). I came up with an "all firewall-cmd" solution > > > > > which > > > > > I'd like to share. > > > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > > direct > > > > > rules > > > > > for iptables. The code snippets in section 6 of < > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;; would be > > > > > changed to > > > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > > > > > protocol="tcp" accept limit value="4/m"' > > > > > firewall-cmd --permanent --remove-service ssh > > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > > firewall-cmd --reload > > > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > > > Regards, > > > > > Kimee > > > > > > > > You should be able to edit that page. Let us know if you find any > > > > problem. > > > > > > > > Akemi > > > > ___ > > > > CentOS-docs mailing list > > > > CentOS-docs@centos.org > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > ___ > > > CentOS-docs mailing list > > > CentOS-docs@centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > ___ > > CentOS-docs mailing list > > CentOS-docs@centos.org > > https://lists.centos.org/mailman/listinfo/centos-docs > > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > https://lists.centos.org/mailman/listinfo/centos-docs > ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] firewalld configuration for securing SSH
I'm not sure I follow, you just think the modified one should be called "ssh-custom", or you think there shouldn't be a modified service file at all? -- Kimee On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > Hi there, > > Wouldn't that be a better solution to create a custom xml file to put > in /etc/firewalld and load that "ssh-custom" service instead ? > > Thanks > > On 26/04/2019, Kimberlee Integer Model > wrote: > > Thank you, I've gone in and made the listed changes changed > > firewalld > > sections to use services instead of just port numbers. > > > > -- Kimee > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > wrote: > > > > > > > > HI all, > > > > > > > > 1st time contributor here. I was using the guide on securing > > > > SSH, > > > > and > > > > noticed that the firewall-cmd snippets for filtering by > > > > requests > > > > per > > > > time seem somewhat outdated. From what I can tell the given > > > > snippets, > > > > relay arguments directly down to iptables, and do not cover > > > > both > > > > IPv4 > > > > and v6. (and in fact when attempting to extend to v6 the > > > > firewall > > > > would > > > > fail to reload). I came up with an "all firewall-cmd" solution > > > > which > > > > I'd like to share. > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > direct > > > > rules > > > > for iptables. The code snippets in section 6 of < > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;; would be > > > > changed to > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > > > > protocol="tcp" accept limit value="4/m"' > > > > firewall-cmd --permanent --remove-service ssh > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > firewall-cmd --reload > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > Regards, > > > > Kimee > > > > > > You should be able to edit that page. Let us know if you find any > > > problem. > > > > > > Akemi > > > ___ > > > CentOS-docs mailing list > > > CentOS-docs@centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > ___ > > CentOS-docs mailing list > > CentOS-docs@centos.org > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > https://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] firewalld configuration for securing SSH
Hi there, Wouldn't that be a better solution to create a custom xml file to put in /etc/firewalld and load that "ssh-custom" service instead ? Thanks On 26/04/2019, Kimberlee Integer Model wrote: > Thank you, I've gone in and made the listed changes changed firewalld > sections to use services instead of just port numbers. > > -- Kimee > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: >> On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model >> wrote: >> > >> > HI all, >> > >> > 1st time contributor here. I was using the guide on securing SSH, >> > and >> > noticed that the firewall-cmd snippets for filtering by requests >> > per >> > time seem somewhat outdated. From what I can tell the given >> > snippets, >> > relay arguments directly down to iptables, and do not cover both >> > IPv4 >> > and v6. (and in fact when attempting to extend to v6 the firewall >> > would >> > fail to reload). I came up with an "all firewall-cmd" solution >> > which >> > I'd like to share. >> > >> > It boils down to using rich rules in firewalld instead of direct >> > rules >> > for iptables. The code snippets in section 6 of < >> > https://wiki.centos.org/HowTos/Network/SecuringSSH>; would be >> > changed to >> > >> > firewall-cmd --permanent --add-rich-rule='rule port port="22" >> > protocol="tcp" accept limit value="4/m"' >> > firewall-cmd --permanent --remove-service ssh >> > firewall-cmd --permanent --remove-port 22/tcp >> > firewall-cmd --reload >> > >> > newly minted wiki username is "KimeeModel". >> > >> > Regards, >> > Kimee >> >> You should be able to edit that page. Let us know if you find any >> problem. >> >> Akemi >> ___ >> CentOS-docs mailing list >> CentOS-docs@centos.org >> https://lists.centos.org/mailman/listinfo/centos-docs > > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > https://lists.centos.org/mailman/listinfo/centos-docs > ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] firewalld configuration for securing SSH
Thank you, I've gone in and made the listed changes changed firewalld sections to use services instead of just port numbers. -- Kimee On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > wrote: > > > > HI all, > > > > 1st time contributor here. I was using the guide on securing SSH, > > and > > noticed that the firewall-cmd snippets for filtering by requests > > per > > time seem somewhat outdated. From what I can tell the given > > snippets, > > relay arguments directly down to iptables, and do not cover both > > IPv4 > > and v6. (and in fact when attempting to extend to v6 the firewall > > would > > fail to reload). I came up with an "all firewall-cmd" solution > > which > > I'd like to share. > > > > It boils down to using rich rules in firewalld instead of direct > > rules > > for iptables. The code snippets in section 6 of < > > https://wiki.centos.org/HowTos/Network/SecuringSSH>; would be > > changed to > > > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > > protocol="tcp" accept limit value="4/m"' > > firewall-cmd --permanent --remove-service ssh > > firewall-cmd --permanent --remove-port 22/tcp > > firewall-cmd --reload > > > > newly minted wiki username is "KimeeModel". > > > > Regards, > > Kimee > > You should be able to edit that page. Let us know if you find any > problem. > > Akemi > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > https://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] firewalld configuration for securing SSH
On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model wrote: > > HI all, > > 1st time contributor here. I was using the guide on securing SSH, and > noticed that the firewall-cmd snippets for filtering by requests per > time seem somewhat outdated. From what I can tell the given snippets, > relay arguments directly down to iptables, and do not cover both IPv4 > and v6. (and in fact when attempting to extend to v6 the firewall would > fail to reload). I came up with an "all firewall-cmd" solution which > I'd like to share. > > It boils down to using rich rules in firewalld instead of direct rules > for iptables. The code snippets in section 6 of < > https://wiki.centos.org/HowTos/Network/SecuringSSH> would be changed to > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > protocol="tcp" accept limit value="4/m"' > firewall-cmd --permanent --remove-service ssh > firewall-cmd --permanent --remove-port 22/tcp > firewall-cmd --reload > > newly minted wiki username is "KimeeModel". > > Regards, > Kimee You should be able to edit that page. Let us know if you find any problem. Akemi ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-docs] firewalld configuration for securing SSH
HI all, 1st time contributor here. I was using the guide on securing SSH, and noticed that the firewall-cmd snippets for filtering by requests per time seem somewhat outdated. From what I can tell the given snippets, relay arguments directly down to iptables, and do not cover both IPv4 and v6. (and in fact when attempting to extend to v6 the firewall would fail to reload). I came up with an "all firewall-cmd" solution which I'd like to share. It boils down to using rich rules in firewalld instead of direct rules for iptables. The code snippets in section 6 of < https://wiki.centos.org/HowTos/Network/SecuringSSH> would be changed to firewall-cmd --permanent --add-rich-rule='rule port port="22" protocol="tcp" accept limit value="4/m"' firewall-cmd --permanent --remove-service ssh firewall-cmd --permanent --remove-port 22/tcp firewall-cmd --reload newly minted wiki username is "KimeeModel". Regards, Kimee ___ CentOS-docs mailing list CentOS-docs@centos.org https://lists.centos.org/mailman/listinfo/centos-docs