Hello Steve
On 11/09/2015 06:16 PM, Bennett, Steve wrote:
Apologies if this has already been asked (I couldn’t see anything in
the archives). I’m a bit new to firewalld and I’m trying to convert
some of my machines to use the new model. I’ve not found any technical
problems yet but I’m struggling to get a configuration that’s tidy and
maintainable.
I do have a couple of questions though…
Is there a reason why overlapping zones are unsupported? E.g. I’d
quite like to be able to do is to use zones to represent groups of
services (so zone1 might be “machines that need SSH access”, and zone2
might be “machines that need mysql and postgresql access”, and some
machines might be in one or both zones). Once you get beyond a couple
of combinations of service it ends up being a mess of rich rules that
I’d quite like to avoid.
There are no overlapping zones to make zones and their behavior
predictable. The use of more than one zone per
connection/interface/source could get unpredictable and complex, if for
example NAT is used in one or more zones with masquerading or port
forwarding.
I am working on IPset support for firewalld right now. IPsets can be
used in a zone to allow access to services within rich rules for example
or also to bind zones to. Maybe this might help you?
Creating a group of services that could easily be enabled or disabled is
not supported by firewalld.
What would be really nice is a way to specify that once processing a
zone is complete, another matching zone might be able to process the
connection (e.g. to have the entry in the INPUT_ZONES_SOURCE chain
designated with “-j” instead of “-g”).
At the moment, the zones appear to be processed in sort order (zone
“A” is processed before zone “B” etc) – is that a documented behavior
(I can’t see anything that says that it is) or is this something that
may change in the future?
Zones are generated as soon as they are used. This is then the order of
the processing of the zones. But as there is no overlap between zones
normally, the order of the zones should not have a big impact on
processing within the firewall.
Thanks!
Steve.
Regards,
Thomas