Re: Allow any source in one specific zone to initiate an http connection to a second specific zone
On Mon, Mar 04, 2019 at 10:44:19PM -0000, Eric Smith wrote:
I'm confused about services enabled in a zone because the docs
suggest
that it allows that service on destinations in the zone to be accessed
from sources outside the zone, but then I've seen some places on blogs
and forums that suggest that the enabled services for the zone affect
outbound connections from sources in the zone. Is it controlling
inbound, outbound, or both?
inbound. Firewalld does not have native support for OUTPUT filtering.
I have an http server in zone1, and I want to allow any source in
zone2 to connect to it (but not vice versa). How do I do that? I tried
setting a "rich rule" for zone1, but I couldn't figure out how to use
zone2 as the source in a rule. Is that not possible?
What you're describing is forward filtering, which firewalld doesn't
support.
If zone2 has an "accept" policy (see --set-target, or trusted zone),
then it will allow forwarding from zone2 --> zone1. Otherwise the
forwarded traffic will be blocked.
Waring: Using an "accept" policy also means all connections from that
zone to the _host_ are accepted.
Your other alternative is to use --direct rules.