Please see this blog post ("Further Information"):
https://firewalld.org/2018/07/nftables-backend
And this upstream issue:
https://github.com/firewalld/firewalld/issues/555
tl;dr: iptables and nftables are _separate_ firewalls. As such packets
need to pass through both of them to be allowed by the system. In your
case, the packet is accepted by iptables (--direct rule), but is dropped
by firewalld's nftables rules.
I'm currently working on full FORWARD/OUTPUT filtering support [1] which
will obsolete using direct rules in this scenario. I'm hoping it lands
in the next feature release.
[1]
https://github.com/orgs/firewalld/projects/1#card-25963208
On Wed, Feb 12, 2020 at 12:47:15PM -0000, Bendt Mollerup wrote:
I have a setup with three different zones: external, internal &
dmz.
In the dmz i have a dns and in the internal i have a dhcp, these servers are setup with
fixed address, another server is setup as router & with firewalld and this is
connected to these 3 zones
When I activate firewalld, nslookup from DHCP is blocked by the firewall. I made a
tracing with tcpdump at port 53. I can see that the signals is received by the firewall at
the incomming site (internal zone) but it is not send out to the dmz.
(PS! If I change FirewallBackend from nftables to iptables then it will work as in
CentOS 7)
Here are the rules that I use:
# Assigning interface to the zones
firewall-cmd --zone=external --change-interface=ens33
firewall-cmd --zone=internal --change-interface=ens37
firewall-cmd --zone=dmz --change-interface=ens38
# From the trusted zone (internal) allow trafik to DMZ
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens37 -o ens38 -j ACCEPT #
This rule does not work with nftables
# Only answer back is allowed from dmz
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens38 -o ens37 -m state
--state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --zone=dmz --add-service=mdns
firewall-cmd --zone=dmz --add-service=dns
and much more but it is not relevant here.
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...