On Thu, Feb 16, 2023 at 01:10:27PM -0000, ed greenberg wrote:
My IPtables -L shows a pretty complex structure that seems to only be
present when using firewalld. For instance...
Such chains as FWDI_public (which invokes FWDI_public_pre, FWDI_public_log,
FWDI_public_deny, FWDI_public_allow, and FWDI_public_post.
Same for FWDO_public, IN_public, etc.
Chain IN_public (2 references)
target prot opt source destination
IN_public_pre all -- 0.0.0.0/0 0.0.0.0/0
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
IN_public_post all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
In all of the chains that call their corresponding _pre, _post, etc.,
I find that my _deny comes before my _allow. This means that
_deny has always been before _allow.
everything is denied, and the specific allows don't function.
On
other servers, _allow precedes _deny, as one would expect.
That does not sound correct. If you enable something it will go to the
_allow chain. By default _deny is empty.
My question is, "Does FirewallD create these chains and
subchains?
Yes.
If so, Where in Firewalld does the order that puts deny before allow
get defined so I can fix it?
It's hard coded.
If you want more granular control your options are:
- rich rules with priority specified
- policies with priority specified