Hi Guys,
I have setup one firewall machines with two interfaces one on public zone and one in internal zone. i created a new policy with ingress internal and egress public and enabled masquerade on it.
if i enable masquerade on zone public as normal i works
the issue is it does not work with policies. Bellow is my config so far:
[root@FW1 ~]# firewall-cmd --list-all-policies allow-host-ipv6 (active) priority: -15000 target: CONTINUE ingress-zones: ANY egress-zones: HOST services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" icmp-type name="neighbour-advertisement" accept rule family="ipv6" icmp-type name="neighbour-solicitation" accept rule family="ipv6" icmp-type name="router-advertisement" accept rule family="ipv6" icmp-type name="redirect" accept
brenda2jashte (active) priority: -500 target: CONTINUE ingress-zones: internal egress-zones: public services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
[root@FW1 ~]#
public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
internal (active) target: default icmp-block-inversion: no interfaces: enp7s0 sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
i am using the info from:
https://firewalld.org/2020/09/policy-objects-introduction https://firewalld.org/2021/06/the-upcoming-1-0-0
Please can someone help out. first time i am trying to do NAT with policies
Tim
oh i forgot to mention the version: [root@FW1 ~]# firewall-cmd --version 0.9.3 [root@FW1 ~]#
On Tue, Jan 25, 2022 at 01:30:27AM -0000, tim aliaj wrote:
Hi Guys,
I have setup one firewall machines with two interfaces one on public zone and one in internal zone. i created a new policy with ingress internal and egress public and enabled masquerade on it.
if i enable masquerade on zone public as normal i works
the issue is it does not work with policies. Bellow is my config so far:
[root@FW1 ~]# firewall-cmd --list-all-policies allow-host-ipv6 (active) priority: -15000 target: CONTINUE ingress-zones: ANY egress-zones: HOST services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" icmp-type name="neighbour-advertisement" accept rule family="ipv6" icmp-type name="neighbour-solicitation" accept rule family="ipv6" icmp-type name="router-advertisement" accept rule family="ipv6" icmp-type name="redirect" accept
brenda2jashte (active) priority: -500 target: CONTINUE ingress-zones: internal egress-zones: public services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
You enabled masquerade, but the traffic still needs to be allowed. Filtering occurs before masquerade in the underlying firewalls.
You can allow all the traffic:
# firewall-cmd --permanent --policy brenda2jashte --set-target=ACCEPT
Or you can allow only a subset of the traffic:
# firewall-cmd --permanent --policy brenda2jashte --add-service http # firewall-cmd --permanent --policy brenda2jashte --add-service https
Huh 🤔 😁
So by default the masquerade is enabled but outgoing traffic is blocked as long as they’re are no rules like you mentioned:
# firewall-cmd --permanent --policy brenda2jashte --add-service http # firewall-cmd --permanent --policy brenda2jashte --add-service https
I will try them asap.
Thanks a lot for you help 😁
Tim
On Tue, Jan 25, 2022 at 10:54 AM Eric Garver egarver@redhat.com wrote:
On Tue, Jan 25, 2022 at 01:30:27AM -0000, tim aliaj wrote:
Hi Guys,
I have setup one firewall machines with two interfaces one on public
zone and one in internal zone.
i created a new policy with ingress internal and egress public and
enabled masquerade on it.
if i enable masquerade on zone public as normal i works
the issue is it does not work with policies. Bellow is my config so far:
[root@FW1 ~]# firewall-cmd --list-all-policies allow-host-ipv6 (active) priority: -15000 target: CONTINUE ingress-zones: ANY egress-zones: HOST services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" icmp-type name="neighbour-advertisement" accept rule family="ipv6" icmp-type name="neighbour-solicitation" accept rule family="ipv6" icmp-type name="router-advertisement" accept rule family="ipv6" icmp-type name="redirect" accept
brenda2jashte (active) priority: -500 target: CONTINUE ingress-zones: internal egress-zones: public services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
You enabled masquerade, but the traffic still needs to be allowed. Filtering occurs before masquerade in the underlying firewalls.
You can allow all the traffic:
# firewall-cmd --permanent --policy brenda2jashte --set-target=ACCEPT
Or you can allow only a subset of the traffic:
# firewall-cmd --permanent --policy brenda2jashte --add-service http # firewall-cmd --permanent --policy brenda2jashte --add-service https
--
Best Regards
Shpetim Aliaj
firewalld-users@lists.fedorahosted.org