On Tue, Jan 25, 2022 at 01:30:27AM -0000, tim aliaj wrote:
Hi Guys,
I have setup one firewall machines with two interfaces one on public zone and one in
internal zone.
i created a new policy with ingress internal and egress public and enabled masquerade on
it.
if i enable masquerade on zone public as normal i works
the issue is it does not work with policies. Bellow is my config so far:
[root@FW1 ~]# firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
brenda2jashte (active)
priority: -500
target: CONTINUE
ingress-zones: internal
egress-zones: public
services:
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
You enabled masquerade, but the traffic still needs to be allowed.
Filtering occurs before masquerade in the underlying firewalls.
You can allow all the traffic:
# firewall-cmd --permanent --policy brenda2jashte --set-target=ACCEPT
Or you can allow only a subset of the traffic:
# firewall-cmd --permanent --policy brenda2jashte --add-service http
# firewall-cmd --permanent --policy brenda2jashte --add-service https