On Sun, Nov 08, 2020 at 05:22:52AM -0000, Robert Smuhar wrote:
I spent most of yesterday on this and found only 2 threads on the
same subject but unfortunately there were no answers. All other discussions were using
NAT, which I don't need nor want.
After more research it appears that this is expected in v8.0 and the functionality should
be implemented in v9.x of firewalld.
So, I installed the latest version of Fedora and installed firewalld 9.1. Unfortunately I
get the exact same results.
[root@firewall ~]# firewall-cmd --version
0.9.1
[root@firewall ~]# tail -1 /etc/firewalld/firewalld.conf
AllowZoneDrifting=yes
This is strongly discouraged. The default is "no". I suggest leaving it
as "no".
Any help with a solution for this would be much appreciated.
Simply upgrade to v0.9.z is not enough. You need to add the rules to
allow the traffic. This means creating a policy.
I'm guessing based of your original email, but maybe this is what you
want:
# firewall-cmd --permanent --new-policy internalToDmz
# firewall-cmd --permanent --policy internalToDmz --add-ingress-zone internal
# firewall-cmd --permanent --policy internalToDmz --add-egress-zone dmz
# firewall-cmd --permanent --policy internalToDmz --add-service ssh
# firewall-cmd --reload
This creates a policy that allows SSH connections from the zone internal
to zone dmz.