I have a setup with three different zones: external, internal & dmz. In the dmz i have a dns and in the internal i have a dhcp, these servers are setup with fixed address, another server is setup as router & with firewalld and this is connected to these 3 zones When I activate firewalld, nslookup from DHCP is blocked by the firewall. I made a tracing with tcpdump at port 53. I can see that the signals is received by the firewall at the incomming site (internal zone) but it is not send out to the dmz. (PS! If I change FirewallBackend from nftables to iptables then it will work as in CentOS 7) Here are the rules that I use:
# Assigning interface to the zones firewall-cmd --zone=external --change-interface=ens33 firewall-cmd --zone=internal --change-interface=ens37 firewall-cmd --zone=dmz --change-interface=ens38
# From the trusted zone (internal) allow trafik to DMZ firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens37 -o ens38 -j ACCEPT # This rule does not work with nftables
# Only answer back is allowed from dmz firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens38 -o ens37 -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --zone=dmz --add-service=mdns firewall-cmd --zone=dmz --add-service=dns
and much more but it is not relevant here.
Please see this blog post ("Further Information"):
https://firewalld.org/2018/07/nftables-backend
And this upstream issue:
https://github.com/firewalld/firewalld/issues/555
tl;dr: iptables and nftables are _separate_ firewalls. As such packets need to pass through both of them to be allowed by the system. In your case, the packet is accepted by iptables (--direct rule), but is dropped by firewalld's nftables rules.
I'm currently working on full FORWARD/OUTPUT filtering support [1] which will obsolete using direct rules in this scenario. I'm hoping it lands in the next feature release.
[1] https://github.com/orgs/firewalld/projects/1#card-25963208
On Wed, Feb 12, 2020 at 12:47:15PM -0000, Bendt Mollerup wrote:
I have a setup with three different zones: external, internal & dmz. In the dmz i have a dns and in the internal i have a dhcp, these servers are setup with fixed address, another server is setup as router & with firewalld and this is connected to these 3 zones When I activate firewalld, nslookup from DHCP is blocked by the firewall. I made a tracing with tcpdump at port 53. I can see that the signals is received by the firewall at the incomming site (internal zone) but it is not send out to the dmz. (PS! If I change FirewallBackend from nftables to iptables then it will work as in CentOS 7) Here are the rules that I use:
# Assigning interface to the zones firewall-cmd --zone=external --change-interface=ens33 firewall-cmd --zone=internal --change-interface=ens37 firewall-cmd --zone=dmz --change-interface=ens38
# From the trusted zone (internal) allow trafik to DMZ firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens37 -o ens38 -j ACCEPT # This rule does not work with nftables
# Only answer back is allowed from dmz firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens38 -o ens37 -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --zone=dmz --add-service=mdns firewall-cmd --zone=dmz --add-service=dns
and much more but it is not relevant here. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users@lists.fedorahosted.org