I have a setup with three different zones: external, internal & dmz.
In the dmz i have a dns and in the internal i have a dhcp, these servers are setup with
fixed address, another server is setup as router & with firewalld and this is
connected to these 3 zones
When I activate firewalld, nslookup from DHCP is blocked by the firewall. I made a tracing
with tcpdump at port 53. I can see that the signals is received by the firewall at the
incomming site (internal zone) but it is not send out to the dmz.
(PS! If I change FirewallBackend from nftables to iptables then it will work as in CentOS
7)
Here are the rules that I use:
# Assigning interface to the zones
firewall-cmd --zone=external --change-interface=ens33
firewall-cmd --zone=internal --change-interface=ens37
firewall-cmd --zone=dmz --change-interface=ens38
# From the trusted zone (internal) allow trafik to DMZ
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens37 -o ens38 -j ACCEPT #
This rule does not work with nftables
# Only answer back is allowed from dmz
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens38 -o ens37 -m state --state
RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --zone=dmz --add-service=mdns
firewall-cmd --zone=dmz --add-service=dns
and much more but it is not relevant here.
Show replies by thread