On Tue, Mar 05, 2019 at 08:27:47AM -0500, Eric Garver wrote:
On Mon, Mar 04, 2019 at 10:44:19PM -0000, Eric Smith wrote:
> I'm confused about services enabled in a zone because the docs suggest
> that it allows that service on destinations in the zone to be accessed
> from sources outside the zone, but then I've seen some places on blogs
> and forums that suggest that the enabled services for the zone affect
> outbound connections from sources in the zone. Is it controlling
> inbound, outbound, or both?
inbound. Firewalld does not have native support for OUTPUT filtering.
> I have an http server in zone1, and I want to allow any source in
> zone2 to connect to it (but not vice versa). How do I do that? I tried
> setting a "rich rule" for zone1, but I couldn't figure out how to
use
> zone2 as the source in a rule. Is that not possible?
What you're describing is forward filtering, which firewalld doesn't
support.
If zone2 has an "accept" policy (see --set-target, or trusted zone),
then it will allow forwarding from zone2 --> zone1. Otherwise the
forwarded traffic will be blocked.
I wanted to clarify further, as it it's more complex than what I let on.
It's more like this:
1) At ingress/input zone (zone2 in your case)
- if zone has a reject/drop policy, then packet is discarded
- if zone has an accept policy, then packet is accepted
- if zone has a default policy, goto step 2
2) At egress/output zone (zone1 in your case)
- if zone has a reject/drop policy, then packet is discarded
- if zone has an accept policy, then packet is accepted/forwarded
- if zone has a default policy, then packet is discarded
So you have three options (in order of simplicity, but _NOT_ security):
1) give zone2 an accept policy
2) give zone2 a default policy, and zone1 an accept policy
3) use --direct rules to accept the forward traffic
FWIW, we realize this is far from ideal. There are plans for forward and
output filtering, but it's a long ways off.
> Waring: Using an "accept" policy also means all connections from that
> zone to the _host_ are accepted.
>
> Your other alternative is to use --direct rules.