On 04.05.2023 22:58, Eric Garver wrote:
On Thu, May 04, 2023 at 01:18:27PM +0000, Will Furnell - STFC UKRI wrote: [..]
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
No. But you can use a policy to common-ize some things. The below policy applies to both zones, icinga and public.
e.g.
# firewall-cmd --permanent --new-policy mypolicy # firewall-cmd --permanent --policy mypolicy --add-ingress-zone icinga # firewall-cmd --permanent --policy mypolicy --add-ingress-zone public # firewall-cmd --permanent --policy mypolicy --add-egress-zone HOST # firewall-cmd --permanent --policy mypolicy --add-service cinga
This will open service cinga to all hosts in public zone while the intent is to open it only to hosts in icinga zone.
I suppose one could implement target=CONTINUE for source zones for such use cases.
# firewall-cmd --reload
Then you could add your unique services, e.g. https, to the public zone or a separate policy.
Hope that helps. Eric.
https://firewalld.org/documentation/concepts.html https://firewalld.org/2020/09/policy-objects-introduction _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue