On Fri, May 05, 2023 at 07:23:47AM +0300, Andrei Borzenkov wrote:
On 04.05.2023 22:58, Eric Garver wrote:
On Thu, May 04, 2023 at 01:18:27PM +0000, Will Furnell - STFC UKRI wrote: [..]
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
No. But you can use a policy to common-ize some things. The below policy applies to both zones, icinga and public.
e.g.
# firewall-cmd --permanent --new-policy mypolicy # firewall-cmd --permanent --policy mypolicy --add-ingress-zone icinga # firewall-cmd --permanent --policy mypolicy --add-ingress-zone public # firewall-cmd --permanent --policy mypolicy --add-egress-zone HOST # firewall-cmd --permanent --policy mypolicy --add-service cinga
This will open service cinga to all hosts in public zone while the intent is to open it only to hosts in icinga zone.
Right. My bad. Concept still applies though. OP wanted to expose http to both. I used the wrong service.
Should be:
# firewall-cmd --permanent --policy mypolicy --add-service http