solved:
place 192.168.1.0/24 and 192.168.2.0/24 as 'sources' in the 'trusted'
zone
;)
You may also be interested in policy objects which were introduced in
v0.9.0. They allow arbitrary FORWARD/OUTPUT filtering.
-
On 10/12/2020 04:12, andrew goh wrote:
>
> hi,
>
> I ran into various issues attempting to setup firewalld that would
> forward ip traffic between 2 subnets.
>
> lets start with the network map.
>
> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â +-- lan subnet 1
> wan <----Â router (firewalld) +
> +-- lan subnet 2
>
> firewalld runs in the router box. the wan interface works well in
> firewalld and is simply in the 'external' zone. it is simply marked
> masquerade so that it is doing NAT for all traffic bound for the
> internet. no issues with this
>
> LAN 1 and LAN 2 are local ipv4 /24 subnets e.g. you can imagine one
> being 192.168.1.0 / 24 the other being 192.168.2.0 / 24.
>
> the trouble is ip traffic is blocked between the 2 LAN subnets you can
> imagine one being 'home' zone the other being 'work' zone. all
(http)
> connections are intercepted by the firewall setup by firewalld and
> rejected. that happens even if i place both of them in the same zone say
> 'home' or 'work'.
>
> I went ahead and tried 'direct configuration' putting a rule like
>
> * filter FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
>
> * filter FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
>
> However, this is to no avail and all traffic are still rejected. finally
> i did the deep dive and tried tracing using nftrace
>
>
https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing
>
> I found out something rather alarming, in that the rules setup in
> 'direct configuration' are based on iptables command while firewalld
> setup its own large sets of nft rules. it turns out firewalld is using
> the 'INET' ( ipv4 and/or ipv6) family for its rules.
>
>
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
>
> While the iptables rules done in 'direct configuration' goes into the IP
> family.
>
> And the firewalld's own INET rules are evaluated *before* the IP rules
> setup in 'direct configuration'. the packets are rejected in the
> firewalld rules before they can even be evaluated by the 'direct
> configuration' iptables rules.
>
> Is there anyway to configure forwarding between the 2 LAN subnets using
> firewalld ? i've even tried 'rich rules' and 'sources' but
firewalld it
> seemed always patch the rules elsewhere in the input and output nftables
> chains (this are intended for the router itself) except the 'forward'
> chain which happens during routing and are intended for other hosts than
> the router itself. i.e. there seem to be no way to specify in firewalld
> to say that traffic between the 2 subnets should be forwarded to each
> other.
>
> Thanks in advance,
> Â Andrew
>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...