Thanks for getting back.
Interesting that no one has asked. I'd have thought a pretty common
scenario in a corporate setting, wired ethernet purely set to DHCP
(802.1X on wired ethernet is far from widely deployed) so could be on a
secure or insecure network. I wonder if your SSSD/FreeIPA guys would
have an opinion?
Thanks again
Colin
On Wed, 2013-03-06 at 15:12 +0100, Thomas Woerner wrote:
Hello,
On 02/22/2013 07:42 PM, Colin Simpson wrote:
> Hi
>
> We are looking at firewalld just now for deployment in our environment.
>
> One situation we have is that the Ethernet wired interface is set to
> simply DHCP. This is used by users on our network and on public network.
> Obviously we'd like to allow more ports open on our network than on a
> public network. Our network would be zone "internal" and if not our
> network would be zone "public", I'd guess.
>
> The option of setting up two different wired setups won't work as users
> cannot be relied on to switch to a public setting when off internal
> network.
>
> Is there any way we can get firewalld to detect which type of network
> it's on. This is probably analogous, I guess, to the way the windows
> firewall has a "Domain networks" zone (which they auto detect). Or a way
> we can give firewalld a helper script that can tell it which network
> it's on. Or something else we haven't thought of...
>
Not this is currently not possible. The zone that is used is set in the
ifcfg file or NM configuration. I already talked to Dan Williams about
this. I have added him as CC.
> At the moment we tackle this with using a custom NM dispatcher script
> that detects our internal network (by doing an operations against
> internal KDC's) and loading the correct firewall into iptables based on
> this testing. So maybe this is the way, if firewalld is happy to allow
> us, can we or should we force a zone from a dispatcher.d NM script to
> switch to the correct zone.
>
I did not try to do that, yet. It should be possible to force a zone
also in a dispatcher script with the firewall-cmd command line tool for
example:
firewall-cmd --zone=<zone> --change-interface=<interface>
> A similar issue is we have a commercial VPN solution that doesn't work
> through Network Manager, can we force a change to the zone (it can be
> made to execute a script on connection) when the VPN comes up (the VPN
> changes routing so all traffic goes via the VPN interface).
>
See command line above.
> How do others tackle this?
>
I do not know, there are no more requests or questions like this up to now.
> Thanks
>
> Colin
>
Thanks,
Thomas
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
________________________________
This email and any files transmitted with it are confidential and are intended solely for
the use of the individual or entity to whom they are addressed. If you are not the
original recipient or the person responsible for delivering the email to the intended
recipient, be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is strictly prohibited. If
you received this email in error, please immediately notify the sender and delete the
original.