Hello,
On 02/22/2013 07:42 PM, Colin Simpson wrote:
Hi
We are looking at firewalld just now for deployment in our environment.
One situation we have is that the Ethernet wired interface is set to
simply DHCP. This is used by users on our network and on public network.
Obviously we'd like to allow more ports open on our network than on a
public network. Our network would be zone "internal" and if not our
network would be zone "public", I'd guess.
The option of setting up two different wired setups won't work as users
cannot be relied on to switch to a public setting when off internal
network.
Is there any way we can get firewalld to detect which type of network
it's on. This is probably analogous, I guess, to the way the windows
firewall has a "Domain networks" zone (which they auto detect). Or a way
we can give firewalld a helper script that can tell it which network
it's on. Or something else we haven't thought of...
Not this is currently not possible. The zone that is used is set in the
ifcfg file or NM configuration. I already talked to Dan Williams about
this. I have added him as CC.
At the moment we tackle this with using a custom NM dispatcher
script
that detects our internal network (by doing an operations against
internal KDC's) and loading the correct firewall into iptables based on
this testing. So maybe this is the way, if firewalld is happy to allow
us, can we or should we force a zone from a dispatcher.d NM script to
switch to the correct zone.
I did not try to do that, yet. It should be possible to force a zone
also in a dispatcher script with the firewall-cmd command line tool for
example:
firewall-cmd --zone=<zone> --change-interface=<interface>
A similar issue is we have a commercial VPN solution that doesn't
work
through Network Manager, can we force a change to the zone (it can be
made to execute a script on connection) when the VPN comes up (the VPN
changes routing so all traffic goes via the VPN interface).
See command line above.
How do others tackle this?
I do not know, there are no more requests or questions like this up to now.
Thanks
Colin
Thanks,
Thomas