Huh 🤔 😁
So by default the masquerade is enabled but outgoing traffic is blocked as long as they’re are no rules like you mentioned:
# firewall-cmd --permanent --policy brenda2jashte --add-service http
# firewall-cmd --permanent --policy brenda2jashte --add-service https
I will try them asap.
Thanks a lot for you help 😁
Tim
On Tue, Jan 25, 2022 at 01:30:27AM -0000, tim aliaj wrote:
> Hi Guys,
>
> I have setup one firewall machines with two interfaces one on public zone and one in internal zone.
> i created a new policy with ingress internal and egress public and enabled masquerade on it.
>
> if i enable masquerade on zone public as normal i works
>
> the issue is it does not work with policies. Bellow is my config so far:
>
> [root@FW1 ~]# firewall-cmd --list-all-policies
> allow-host-ipv6 (active)
> priority: -15000
> target: CONTINUE
> ingress-zones: ANY
> egress-zones: HOST
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule family="ipv6" icmp-type name="neighbour-advertisement" accept
> rule family="ipv6" icmp-type name="neighbour-solicitation" accept
> rule family="ipv6" icmp-type name="router-advertisement" accept
> rule family="ipv6" icmp-type name="redirect" accept
>
> brenda2jashte (active)
> priority: -500
> target: CONTINUE
> ingress-zones: internal
> egress-zones: public
> services:
> ports:
> protocols:
> masquerade: yes
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
You enabled masquerade, but the traffic still needs to be allowed.
Filtering occurs before masquerade in the underlying firewalls.
You can allow all the traffic:
# firewall-cmd --permanent --policy brenda2jashte --set-target=ACCEPT
Or you can allow only a subset of the traffic:
# firewall-cmd --permanent --policy brenda2jashte --add-service http
# firewall-cmd --permanent --policy brenda2jashte --add-service https
--
Best Regards
Shpetim Aliaj