Distinguishing between Internal and external wired networks
by Colin Simpson
Hi
We are looking at firewalld just now for deployment in our environment.
One situation we have is that the Ethernet wired interface is set to
simply DHCP. This is used by users on our network and on public network.
Obviously we'd like to allow more ports open on our network than on a
public network. Our network would be zone "internal" and if not our
network would be zone "public", I'd guess.
The option of setting up two different wired setups won't work as users
cannot be relied on to switch to a public setting when off internal
network.
Is there any way we can get firewalld to detect which type of network
it's on. This is probably analogous, I guess, to the way the windows
firewall has a "Domain networks" zone (which they auto detect). Or a way
we can give firewalld a helper script that can tell it which network
it's on. Or something else we haven't thought of...
At the moment we tackle this with using a custom NM dispatcher script
that detects our internal network (by doing an operations against
internal KDC's) and loading the correct firewall into iptables based on
this testing. So maybe this is the way, if firewalld is happy to allow
us, can we or should we force a zone from a dispatcher.d NM script to
switch to the correct zone.
A similar issue is we have a commercial VPN solution that doesn't work
through Network Manager, can we force a change to the zone (it can be
made to execute a script on connection) when the VPN comes up (the VPN
changes routing so all traffic goes via the VPN interface).
How do others tackle this?
Thanks
Colin
________________________________
This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
11 years
Re: Not happy about firewalld man pages
by Jiri Popelka
On 02/18/2013 01:35 PM, "Jørgen Thomsen" wrote:
> On Mon, 18 Feb 2013 12:46:10 +0100,Jiri Popelka wrote:
>
>>> b) iptables --list are displaying a set of rules. From where are they loaded ?
>> I'm not sure I understand the question.
> Users of iptables are used to handling rules loaded from e.g. a file saved by iptables-save and
> managed by their own simple scripts. This is probably no longer possible.
> iptables --list is listing the rules as they always have been listed, but they cannot be found
> in /etc/sysconfig.
>
> How about this simple addition to the firewalld man page:
>
> The firewalld configuration is loaded from XML-files in /etc/firewalld. Predefined rules files
> can be found in /usr/lib/firewalld
Added in
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=b84b30f5e148bf8...
>
> This fact is not obvious for a new user, but just specifying this is creating a framework for
> the user and improving the understanding very much. I had to spend much time to understand this
> simple fact.
>
>> All man pages point to the home page at
>> http://fedorahosted.org/firewalld/
> Basic information should be in the man pages and not via a chain of URLs not easily read from a
> command line on a computer possibly not connected to the Internet (yet).
I added the wiki URL to firewalld and firewall-cmd man pages.
I'll think more about if and what examples should we put into
firewall-cmd man page.
--
Jiri
11 years, 1 month
Re: Not happy about firewalld man pages
by Jiri Popelka
Replying to Firewalld users discussion list.
Please use this list for further communication.
thanks
On 02/16/2013 08:51 PM, "Jørgen Thomsen" wrote:
> Hi
>
> After fighting for some hours with the new Fedora 18 firewall I am really dissatisfied with the
> documentation of this new feature.
>
> It is lacking definitions and simple howto examples.
>
> It is paramount to provide a way of simple transition to a completely new system using
> user-unfriendly XML-files, which I never understood the need for in very simple configuration
> files. But that unfortunately is the current trend in anything, whether it adds value or not.
>
> 1) man firewalld
>
> a) there is a too simplified explanation on the structure of the configuration files and how
> they are used both by the program and by the user.
There's also a note:
"For more information on icmptypes, please have a look at the
firewalld.icmptype(5) man page, for services at firewalld.service(5) and
for zones at firewalld.zone(5)."
> b) iptables --list are displaying a set of rules. From where are they loaded ?
I'm not sure I understand the question.
The rules are loaded from the above mentioned XML configuration files.
For example:
/usr/lib/firewalld/zones/public.xml
contains
<service name="ssh"/>
which is defined in /usr/lib/firewalld/services/ssh.xml
as
<port protocol="tcp" port="22"/>
so when firewalld loads public.xml it runs the following command
iptables -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack
--ctstate NEW -j ACCEPT
> c) a simple example of adding/deleting a new permanent rule is missing e.g how to use one of
> the predefined rules. Howto and the result of this command. This would increase the
> understanding of how firewalld is working very much
Permanent rules are added into the XML configuration files and should be
described in firewalld.zone(5).
All man pages point to the home page at
http://fedorahosted.org/firewalld/
which points to documentation at
https://fedoraproject.org/wiki/FirewallD/
where are the examples of adding permanent rules with 'firewall-cmd
--permanent'
https://fedoraproject.org/wiki/FirewallD#Permanent.2Fpersistent_zone_hand...
> 2) man firewall-cmd
> [--zone=<zone>] --add-ACTION [--timeout=<seconds>]
>
> What is ACTION ? No definition is provided
> This does not help at all:
> For the possible actions, please have a look at the action options further down.
I tried to improve this a little with
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=3ca05d170cd70ce...
> Again simple examples are providing much more information than long lists of options (which of
> course must be present, too)
>
> Please, sit down and forget everything you know about firewalld and then improve the
> documentation, or better ask somebody who never used it, do some simple firewalld tasks and then
> based on his experience write the documentation so he can do it within a few minutes without
> asking you.
Yes, the documentation is far from being perfect and few examples or at
least pointer to
https://fedoraproject.org/wiki/FirewallD#Using_firewall-cmd
would be good.
>
> - Jørgen Thomsen
>
> Kontaktinfo: http://jth.tel
--
Jiri
11 years, 1 month
Firewalld logging
by Greaser, Tom
Good morning everyone .
I did some man-ing and goggling , but maybe someone can help and point me in the right direction.
On my fed 18 workstation I was having troubles , my first thought was to look at my logs.. I found i had no way to output logs from firewall d
Would someone point out my short comings / acknowledge my blonde moment ?
p.s it was not a firewalld / iptables issue if you care . but it got me thinking how do i trouble shoot ..!!
Thanks,
Tom
11 years, 1 month
Local port redirection seems not working
by Raphaël Flores
Hello,
I've a Fedora 18 OS which is running behind a Freebox Revolution (French
ISP router) and having IP 192.168.1.39. The F18 OS hosts a Tomcat server
listening to port 8080.
I've opened port 8079 and 8080 in public (default) zone:
# firewall-cmd --list-port
8079/tcp 8080/tcp
I've tried to redirect port from 8079 towards 8080 via TCP, UDP:
# firewall-cmd --list-forward-port
port=8079:proto=tcp:toport=8080:toaddr=
port=8079:proto=udp:toport=8080:toaddr=
I'm thinking this is sufficient to redirect effectively all requests on
8079 to 8080, so that an HTTP GET on http://192.168.1.39:8079/ SHOULD
(afaik) be redirected to Tomcat server as if I've done HTTP GET on
http://192.168.1.39:8080/ (which currently shows me Tomcat welcome page).
That would be the expected result, but when I HTTP GET on
http://192.168.1.39:8079/ via Firefox, nothing happens except web
browser tells me that it cannot reach given adress.
If I use 192.168.1.39 IP isntead of 127.0.0.1, it's because I further
want to redirect port to a guest virtual machine which will host the
Tomcat server, but currently I just want the redirection to work in local.
Any hint for enabling correctly the port redirection? Where is the
misconfiguration?
Thanks for any help.
Raphaël Flores.
11 years, 1 month