On 06/20/2013 05:16 PM, Nathanael D. Noblet wrote:
Hello,
So I've been following firewalld, and previously I was under the
assumption that a particular feature wasn't yet there. Now it seems that
it is.
I have a machine that is on a DMZ so we have an eternal router which
hands out a private subnet ips, but forwards all traffic to one machine
in that subnet. That machine runs Fedora 19 (firewalld-0.3.3-2).
I'm wondering if with the 'sources' option I can open particular
services (lets say nfs for example) to the internal subnet, but not the
external. Is that the correct understanding of what is meant by sources?
Yes it is.
If that is the case are there docs/examples of how to create a
configuration where some services are allowed by all connections, and
others are allowed based on source?
You have two choices:
1) You can bind a zone to the internal subnet (e.g. 192.168.2.1/24) and
use another or the default zone for the external subnet.
2) You can use rich language rules and add the source for the rules.
(See
https://fedoraproject.org/wiki/Features/FirewalldRichLanguage for
examples). The GUI (firewall-config) is not able to handle rich rules
yet. But we are working on this.
Thomas