Hello,
It looks like there are a couple of ways to do port forwarding in NAT situations: either put the rules in the Zone itself, or use a Policy Object and put the port forwarding rules in the Policy Object. Which is the "right" way to do it for this situation?
I have an appliance I'm building a firewall out of. There are several Ethernet interfaces. For this particular issue, two are important: eth0 is the interface that is connected to the Internet, and eth1 is connected to a VPN server. eth1's network addr is 192.168.9.1 and the VPN server is 192.168.9.2. When a UDP connection arrives on port 1195 on eth0, I want it to be forwarded to 1194 on eth1 to 192.168.9.2. The Zone I have for eth0 is 'external' and the Zone I have for eth1 is 'vpnbox'. The 'external' Zone is set to masquerade.
If I put the rule in the 'external' Zone, nothing happens- the connection is not forwarded. This is true even if I open firewall holes in that Zone.
If I put the rule in a policy object with 'external' Zone as ingress and 'vpnbox' Zone as egress, I can't reload firewalld after creating the policy. It comes back with an error, "INVALID_ZONE: Policy 'worldToVpnBox': 'forward-port' cannot be used because egress zone 'vpnbox' has assigned interfaces".
I did see this link, but it doesn't seem right that the rule should apply to ANY zone. Isn't that a security risk or a potential for a misconfiguration? https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traf...
I am new to firewalld Policy objects and would greatly appreciate if someone could refer me to resources that would answer this question.
Thanks! -JK