Overlapping zones
by Bennett, Steve
Apologies if this has already been asked (I couldn't see anything in the archives). I'm a bit new to firewalld and I'm trying to convert some of my machines to use the new model. I've not found any technical problems yet but I'm struggling to get a configuration that's tidy and maintainable.
I do have a couple of questions though...
Is there a reason why overlapping zones are unsupported? E.g. I'd quite like to be able to do is to use zones to represent groups of services (so zone1 might be "machines that need SSH access", and zone2 might be "machines that need mysql and postgresql access", and some machines might be in one or both zones). Once you get beyond a couple of combinations of service it ends up being a mess of rich rules that I'd quite like to avoid.
What would be really nice is a way to specify that once processing a zone is complete, another matching zone might be able to process the connection (e.g. to have the entry in the INPUT_ZONES_SOURCE chain designated with "-j" instead of "-g").
At the moment, the zones appear to be processed in sort order (zone "A" is processed before zone "B" etc) - is that a documented behavior (I can't see anything that says that it is) or is this something that may change in the future?
Thanks!
Steve.
8 years, 5 months
