Thanks Eric,
currently the stable Ubuntu are distributed with somewhat 'older'
firewalld distributions.
When it gets updated, i'd definitely try out policies.
And another tip to anyone who happen to read this, I've been struggling
with various
connectivity issues which i naively think is a firewall issue initially.
As i did not use NetworkManager (it is recommended) for one of my
interfaces:
i'm using hostapd which today doesn't seem to co-exist with NetworkManager.
After i setup the interface, it leaves me wondering why connections (to
internet)
all snaps and are aborted. it turns out later i found out that
NetworkManager does dhcpd
(via dnsmasq) and passed the correct DNS servers.
After I setup hostapd manually, i ran a separate dhcp server, and those
dns servers
which i used do not allow recursive or forwarding dns searches.
All dns queries other than for the native domain is rejected.
And mobile OS in particular Android keep reporting no internet access.
This shows that one should look beyond firewall issues when
troubleshooting connectivity issues when a firewall is running.
I'd say firewalld is a good setup and is highly recommended.
Thanks and cheers,
Andrew
On 11/12/2020 21:43, Eric Garver wrote:
> On Thu, Dec 10, 2020 at 02:59:11PM +0800, andrew goh wrote:
>> solved:
>>
>> place 192.168.1.0/24 and 192.168.2.0/24 as 'sources' in the
'trusted' zone
>> ;)
> You may also be interested in policy objects which were introduced in
> v0.9.0. They allow arbitrary FORWARD/OUTPUT filtering.
>
> -
https://firewalld.org/2020/09/policy-objects-introduction
> -
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
>
>> On 10/12/2020 04:12, andrew goh wrote:
>>> hi,
>>>
>>> I ran into various issues attempting to setup firewalld that would
>>> forward ip traffic between 2 subnets.
>>>
>>> lets start with the network map.
>>>
>>> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â +-- lan subnet 1
>>> wan <----Â router (firewalld) +
>>> +-- lan subnet 2
>>>
>>> firewalld runs in the router box. the wan interface works well in
>>> firewalld and is simply in the 'external' zone. it is simply marked
>>> masquerade so that it is doing NAT for all traffic bound for the
>>> internet. no issues with this
>>>
>>> LAN 1 and LAN 2 are local ipv4 /24 subnets e.g. you can imagine one
>>> being 192.168.1.0 / 24 the other being 192.168.2.0 / 24.
>>>
>>> the trouble is ip traffic is blocked between the 2 LAN subnets you can
>>> imagine one being 'home' zone the other being 'work' zone.
all (http)
>>> connections are intercepted by the firewall setup by firewalld and
>>> rejected. that happens even if i place both of them in the same zone say
>>> 'home' or 'work'.
>>>
>>> I went ahead and tried 'direct configuration' putting a rule like
>>>
>>> * filter FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
>>>
>>> * filter FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
>>>
>>> However, this is to no avail and all traffic are still rejected. finally
>>> i did the deep dive and tried tracing using nftrace
>>>
>>>
https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing
>>>
>>> I found out something rather alarming, in that the rules setup in
>>> 'direct configuration' are based on iptables command while firewalld
>>> setup its own large sets of nft rules. it turns out firewalld is using
>>> the 'INET' ( ipv4 and/or ipv6) family for its rules.
>>>
>>>
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
>>>
>>> While the iptables rules done in 'direct configuration' goes into the
IP
>>> family.
>>>
>>> And the firewalld's own INET rules are evaluated *before* the IP rules
>>> setup in 'direct configuration'. the packets are rejected in the
>>> firewalld rules before they can even be evaluated by the 'direct
>>> configuration' iptables rules.
>>>
>>> Is there anyway to configure forwarding between the 2 LAN subnets using
>>> firewalld ? i've even tried 'rich rules' and 'sources'
but firewalld it
>>> seemed always patch the rules elsewhere in the input and output nftables
>>> chains (this are intended for the router itself) except the
'forward'
>>> chain which happens during routing and are intended for other hosts than
>>> the router itself. i.e. there seem to be no way to specify in firewalld
>>> to say that traffic between the 2 subnets should be forwarded to each
>>> other.
>>>
>>> Thanks in advance,
>>> Â Andrew
>>>
>> _______________________________________________
>> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...