On Tue, Jan 25, 2022 at 01:30:27AM -0000, tim aliaj wrote:
> Hi Guys,
>
> I have setup one firewall machines  with two interfaces one on public zone and one in internal zone.
> i created a new policy with ingress internal and egress public and enabled masquerade on it.
>
> if i enable masquerade on zone public as normal i works
>
> the issue is it does not work with policies. Bellow is my config so far:
>
> [root@FW1 ~]# firewall-cmd --list-all-policies
> allow-host-ipv6 (active)
>   priority: -15000
>   target: CONTINUE
>   ingress-zones: ANY
>   egress-zones: HOST
>   services:
>   ports:
>   protocols:
>   masquerade: no
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:
>       rule family="ipv6" icmp-type name="neighbour-advertisement" accept
>       rule family="ipv6" icmp-type name="neighbour-solicitation" accept
>       rule family="ipv6" icmp-type name="router-advertisement" accept
>       rule family="ipv6" icmp-type name="redirect" accept
>
> brenda2jashte (active)
>   priority: -500
>   target: CONTINUE
>   ingress-zones: internal
>   egress-zones: public
>   services:
>   ports:
>   protocols:
>   masquerade: yes
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:

You enabled masquerade, but the traffic still needs to be allowed.
Filtering occurs before masquerade in the underlying firewalls.

You can allow all the traffic:

  # firewall-cmd --permanent --policy brenda2jashte --set-target=ACCEPT

Or you can allow only a subset of the traffic:

  # firewall-cmd --permanent --policy brenda2jashte --add-service http
  # firewall-cmd --permanent --policy brenda2jashte --add-service https