Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml <?xml version="1.0" encoding="utf-8"?> <direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
We are using version 0.3.9 as packaged in CentOS7.
Surely there is another way?
Thanks,
Benjamin Lefoul
On 05/19/2016 01:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
Hi Benjamin,
This sounds like https://github.com/t-woerner/firewalld/issues/78
________________________________________ From: Markos Chandras mchandras@suse.de Sent: 19 May 2016 14:49 To: Firewalld users discussion list Subject: Re: local port forwarding
On 05/19/2016 01:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
Hi Benjamin,
Hi,
This sounds like https://github.com/t-woerner/firewalld/issues/78
--to-destination :port actually rewrites the port on the packet but leaves the destination address intact.
Mmh, does it? Because in my case, the destination address IS the same: 127.0.0.1
Benjamin
-- markos
SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
On 05/20/2016 07:24 AM, Benjamin Lefoul wrote:
From: Markos Chandras mchandras@suse.de Sent: 19 May 2016 14:49 To: Firewalld users discussion list Subject: Re: local port forwarding
On 05/19/2016 01:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
Hi Benjamin,
Hi,
This sounds like https://github.com/t-woerner/firewalld/issues/78
--to-destination :port actually rewrites the port on the packet but leaves the destination address intact.
Mmh, does it? Because in my case, the destination address IS the same: 127.0.0.1
Benjamin
I believe so. You only want to change the port and no the destination address and this is usually implemented in iptables using the REDIRECT target which is something firewalld does not understand at the moment.
By the way, have you tried the following rule instead?
forward-ports: port=80:proto=tcp:toport=8080:toaddr=127.0.0.1
?
________________________________________ From: Markos Chandras mchandras@suse.de Sent: 20 May 2016 10:06 To: Firewalld users discussion list Subject: Re: local port forwarding
On 05/20/2016 07:24 AM, Benjamin Lefoul wrote:
From: Markos Chandras mchandras@suse.de Sent: 19 May 2016 14:49 To: Firewalld users discussion list Subject: Re: local port forwarding
On 05/19/2016 01:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
Hi Benjamin,
Hi,
This sounds like https://github.com/t-woerner/firewalld/issues/78
--to-destination :port actually rewrites the port on the packet but leaves the destination address intact.
Mmh, does it? Because in my case, the destination address IS the same: 127.0.0.1
Benjamin
I believe so. You only want to change the port and no the destination address and this is usually implemented in iptables using the REDIRECT target which is something firewalld does not understand at the moment.
By the way, have you tried the following rule instead?
forward-ports: port=80:proto=tcp:toport=8080:toaddr=127.0.0.1
Yes, I did try this. It didn't work. /Benjamin
?
-- markos
SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Hi,
On 05/19/2016 02:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
We are using version 0.3.9 as packaged in CentOS7.
Surely there is another way?
is the trusted zone active in your configuration?
What is the output of:
firewall-cmd --get-active-zones
If the trusted zone is not bound to an interface or connection or source, then this rule does not have an effect. Please add it to the default zone then instead.
Thanks,
Benjamin Lefoul
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Regards, Thomas
On 05/20/2016 01:49 PM, Thomas Woerner wrote:
Hi,
On 05/19/2016 02:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
We are using version 0.3.9 as packaged in CentOS7.
Surely there is another way?
is the trusted zone active in your configuration?
What is the output of:
firewall-cmd --get-active-zones
If the trusted zone is not bound to an interface or connection or source, then this rule does not have an effect. Please add it to the default zone then instead.
I am sorry, I missed that you tried to access localhost.. As Markos said, this is https://github.com/t-woerner/firewalld/issues/78
Thanks,
Benjamin Lefoul
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Regards, Thomas _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Hi,
On 05/19/2016 02:43 PM, Benjamin Lefoul wrote:
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewalld... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr= Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule> </direct>
We are using version 0.3.9 as packaged in CentOS7.
Surely there is another way?
No, I am sorry, right now there is no other way. firewalld is not providing a zone for locally generated packets, yet. These packets are not part of any zone at the moment. But it is planned to add a special zone for this with a name like "local" or "outgoing".
Thanks,
Benjamin Lefoul
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Regards, Thomas
firewalld-users@lists.fedorahosted.org