4:44 p.m.
I'm confused about services enabled in a zone because the docs suggest that it allows
that service on destinations in the zone to be accessed from sources outside the zone, but
then I've seen some places on blogs and forums that suggest that the enabled services
for the zone affect outbound connections from sources in the zone. Is it controlling
inbound, outbound, or both?
I have an http server in zone1, and I want to allow any source in zone2 to connect to it
(but not vice versa). How do I do that? I tried setting a "rich rule" for zone1,
but I couldn't figure out how to use zone2 as the source in a rule. Is that not
possible?
Thanks!
Eric
7:27 a.m.
New subject: Allow any source in one specific zone to initiate an http
connection to a second specific zone
On Mon, Mar 04, 2019 at 10:44:19PM -0000, Eric Smith wrote:
I'm confused about services enabled in a zone because the docs
suggest
that it allows that service on destinations in the zone to be accessed
from sources outside the zone, but then I've seen some places on blogs
and forums that suggest that the enabled services for the zone affect
outbound connections from sources in the zone. Is it controlling
inbound, outbound, or both?
inbound. Firewalld does not have native support for OUTPUT filtering.
I have an http server in zone1, and I want to allow any source in
zone2 to connect to it (but not vice versa). How do I do that? I tried
setting a "rich rule" for zone1, but I couldn't figure out how to use
zone2 as the source in a rule. Is that not possible?
What you're describing is forward filtering, which firewalld doesn't
support.
If zone2 has an "accept" policy (see --set-target, or trusted zone),
then it will allow forwarding from zone2 --> zone1. Otherwise the
forwarded traffic will be blocked.
Waring: Using an "accept" policy also means all connections from that
zone to the _host_ are accepted.
Your other alternative is to use --direct rules.
7:50 a.m.
New subject: Allow any source in one specific zone to initiate an http
connection to a second specific zone
On Tue, Mar 05, 2019 at 08:27:47AM -0500, Eric Garver wrote:
On Mon, Mar 04, 2019 at 10:44:19PM -0000, Eric Smith wrote:
> I'm confused about services enabled in a zone because the docs suggest
> that it allows that service on destinations in the zone to be accessed
> from sources outside the zone, but then I've seen some places on blogs
> and forums that suggest that the enabled services for the zone affect
> outbound connections from sources in the zone. Is it controlling
> inbound, outbound, or both?
inbound. Firewalld does not have native support for OUTPUT filtering.
> I have an http server in zone1, and I want to allow any source in
> zone2 to connect to it (but not vice versa). How do I do that? I tried
> setting a "rich rule" for zone1, but I couldn't figure out how to
use
> zone2 as the source in a rule. Is that not possible?
What you're describing is forward filtering, which firewalld doesn't
support.
If zone2 has an "accept" policy (see --set-target, or trusted zone),
then it will allow forwarding from zone2 --> zone1. Otherwise the
forwarded traffic will be blocked.
I wanted to clarify further, as it it's more complex than what I let on.
It's more like this:
1) At ingress/input zone (zone2 in your case)
- if zone has a reject/drop policy, then packet is discarded
- if zone has an accept policy, then packet is accepted
- if zone has a default policy, goto step 2
2) At egress/output zone (zone1 in your case)
- if zone has a reject/drop policy, then packet is discarded
- if zone has an accept policy, then packet is accepted/forwarded
- if zone has a default policy, then packet is discarded
So you have three options (in order of simplicity, but _NOT_ security):
1) give zone2 an accept policy
2) give zone2 a default policy, and zone1 an accept policy
3) use --direct rules to accept the forward traffic
FWIW, we realize this is far from ideal. There are plans for forward and
output filtering, but it's a long ways off.
> Waring: Using an "accept" policy also means all connections from that
> zone to the _host_ are accepted.
>
> Your other alternative is to use --direct rules.
5:05 p.m.
New subject: Allow any source in one specific zone to initiate an http
connection to a second specific zone
Thanks for the detailed clarifications. This helps a lot!
The firewalld paradigm is different than I'm used to, but that's not necessarily a
bad thing as long as I understand what it's doing.
Per your suggestion, I may use --direct rules for now. I certainly look forward to the
future enhancements.
Best regards,
Eric
1873
days inactive
1877
days old
firewalld-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Eric Garver -
Eric Smith