Hello,
My server hosts several services, (web, mail), and I use firewalld.
All of these services are defined in zone public, reachable via the Internet over interface eth0.
I also want to use it as a WireGuard server.
wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy:
# firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT
However, WireGuard peers are for now unable to reach the web and mail services on the host.
I've studied the firewalld website documentation, searched the mailing list, and perused other sources. Not entirely confident ... I would like confirmation that this is what is needed:
1) allow wg0 (internal) --> eth1 (public) <<< done 2) allow eth1 (public) --> wg0 (internal)
And for that second step, that could be something like this - copied from the firewalld blog "Policy Objects: Introduction":
# firewall-cmd --permanent --new-policy myOutputPolicy # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone ANY
In addition, I have a doubt about my initial configuration of wireguard to use port 51820 on the zone public.
If I run "firewall-cmd --zone=public --list-all" it will show (among other)
ports: 51820/udp
the same command for zone internal won't show that port.
I wonder if I needed to add that port to zone=public. I think it is only for zone internal? And there it works without needing explicit assignment?
Kind greetings
Gijs
On 10.09.2023 09:45, Gijs Hillenius wrote:
Hello,
My server hosts several services, (web, mail), and I use firewalld.
All of these services are defined in zone public, reachable via the Internet over interface eth0.
I also want to use it as a WireGuard server.
wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy:
# firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT
However, WireGuard peers are for now unable to reach the web and mail services on the host.
"The host" is meaningless on a system with multiple interfaces and IP address. What IP address/interface your services bind to?
I've studied the firewalld website documentation, searched the mailing list, and perused other sources. Not entirely confident ... I would like confirmation that this is what is needed:
- allow wg0 (internal) --> eth1 (public) <<< done
- allow eth1 (public) --> wg0 (internal)
And for that second step, that could be something like this - copied from the firewalld blog "Policy Objects: Introduction":
# firewall-cmd --permanent --new-policy myOutputPolicy # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone ANY
In addition, I have a doubt about my initial configuration of wireguard to use port 51820 on the zone public.
If I run "firewall-cmd --zone=public --list-all" it will show (among other)
ports: 51820/udp
the same command for zone internal won't show that port.
I wonder if I needed to add that port to zone=public. I think it is only for zone internal? And there it works without needing explicit assignment?
Kind greetings
Gijs
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 10 September 2023 10:20 Andrei Borzenkov, wrote:
On 10.09.2023 09:45, Gijs Hillenius wrote:
Hello, My server hosts several services, (web, mail), and I use firewalld. All of these services are defined in zone public, reachable via the Internet over interface eth0. I also want to use it as a WireGuard server. wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy: # firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT However, WireGuard peers are for now unable to reach the web and mail services on the host.
"The host" is meaningless on a system with multiple interfaces and IP address. What IP address/interface your services bind to?
All of the services are at eth0
and it's all 144.76.204.189 and 2a01:4f8:200:546b::9e15:1
On 10.09.2023 11:49, Gijs Hillenius wrote:
On 10 September 2023 10:20 Andrei Borzenkov, wrote:
On 10.09.2023 09:45, Gijs Hillenius wrote:
Hello, My server hosts several services, (web, mail), and I use firewalld. All of these services are defined in zone public, reachable via the Internet over interface eth0. I also want to use it as a WireGuard server. wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy: # firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT However, WireGuard peers are for now unable to reach the web and mail services on the host.
"The host" is meaningless on a system with multiple interfaces and IP address. What IP address/interface your services bind to?
All of the services are at eth0
and it's all 144.76.204.189 and 2a01:4f8:200:546b::9e15:1
This can be problematic even without any firewall involved. Reply to packets entering via wg0 may be sent via eth0 depending on the routing table. Does it work if you stop firewalld on this server?
On 10 September 2023 17:35 Andrei Borzenkov, wrote:
On 10.09.2023 11:49, Gijs Hillenius wrote:
On 10 September 2023 10:20 Andrei Borzenkov, wrote:
On 10.09.2023 09:45, Gijs Hillenius wrote:
Hello, My server hosts several services, (web, mail), and I use firewalld. All of these services are defined in zone public, reachable via the Internet over interface eth0. I also want to use it as a WireGuard server. wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy: # firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT However, WireGuard peers are for now unable to reach the web and mail services on the host.
"The host" is meaningless on a system with multiple interfaces and IP address. What IP address/interface your services bind to?
All of the services are at eth0 and it's all 144.76.204.189 and 2a01:4f8:200:546b::9e15:1
This can be problematic even without any firewall involved. Reply to packets entering via wg0 may be sent via eth0 depending on the routing table. Does it work if you stop firewalld on this server?
I have not tried that (yet).
The set-up used to work just fine with firewalld 0.9.3 (in Debian 11). It stopped working when I moved the server to firewalld 1.3.0 (in Debian 12).
But in that earlier set-up, I didn't have a zone internal.
On 10.09.2023 19:10, Gijs Hillenius wrote:
On 10 September 2023 17:35 Andrei Borzenkov, wrote:
On 10.09.2023 11:49, Gijs Hillenius wrote:
On 10 September 2023 10:20 Andrei Borzenkov, wrote:
On 10.09.2023 09:45, Gijs Hillenius wrote:
Hello, My server hosts several services, (web, mail), and I use firewalld. All of these services are defined in zone public, reachable via the Internet over interface eth0. I also want to use it as a WireGuard server. wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy: # firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT However, WireGuard peers are for now unable to reach the web and mail services on the host.
"The host" is meaningless on a system with multiple interfaces and IP address. What IP address/interface your services bind to?
All of the services are at eth0 and it's all 144.76.204.189 and 2a01:4f8:200:546b::9e15:1
This can be problematic even without any firewall involved. Reply to packets entering via wg0 may be sent via eth0 depending on the routing table. Does it work if you stop firewalld on this server?
I have not tried that (yet).
The set-up used to work just fine with firewalld 0.9.3 (in Debian 11). It stopped working when I moved the server to firewalld 1.3.0 (in Debian 12).
But in that earlier set-up, I didn't have a zone internal.
So you likely just need to open the same ports in the zone assigned to wg0.
On 10 September 2023 21:38 Andrei Borzenkov, wrote:
On 10.09.2023 19:10, Gijs Hillenius wrote:
On 10 September 2023 17:35 Andrei Borzenkov, wrote:
On 10.09.2023 11:49, Gijs Hillenius wrote:
On 10 September 2023 10:20 Andrei Borzenkov, wrote:
On 10.09.2023 09:45, Gijs Hillenius wrote:
Hello, My server hosts several services, (web, mail), and I use firewalld. All of these services are defined in zone public, reachable via the Internet over interface eth0. I also want to use it as a WireGuard server. wg0 is the interface for zone=internal. This way, traffic from peers is masquerared fine to the Internet, because I use this policy: # firewall-cmd --new-policy NAT_int_to_ext --permanent # firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal # firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone public # firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT However, WireGuard peers are for now unable to reach the web and mail services on the host.
"The host" is meaningless on a system with multiple interfaces and IP address. What IP address/interface your services bind to?
All of the services are at eth0 and it's all 144.76.204.189 and 2a01:4f8:200:546b::9e15:1
This can be problematic even without any firewall involved. Reply to packets entering via wg0 may be sent via eth0 depending on the routing table. Does it work if you stop firewalld on this server?
I have not tried that (yet). The set-up used to work just fine with firewalld 0.9.3 (in Debian 11). It stopped working when I moved the server to firewalld 1.3.0 (in Debian 12). But in that earlier set-up, I didn't have a zone internal.
So you likely just need to open the same ports in the zone assigned to wg0.
ACK. That works.
Thank you.
firewalld-users@lists.fedorahosted.org
-
Andrei Borzenkov -
Gijs Hillenius