Hi,
I have setup a wireguard connection between my laptop (Fedora 39) and an Almalinux 9 x86_64 server which also runs a knot DNS resolver on port 53 (IPv4 & IPv6) to be used by the laptop when the wireguard connection is active. This all works fine but it requires:
/etc/firewalld/firewalld.conf FirewallBackend=iptables
and these firewall-cmd rules in the server's wireguard wg0 config: (this is one long line but separated for clarity)
PostUp =
firewall-cmd --zone=public --add-port=443/udp;
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 192.168.2.0/24 -o eth0 -j MASQUERADE;
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i %i -o eth0 -j ACCEPT;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s fdcc:xxxx:xxxx::/64 -o eth0 -j MASQUERADE;
firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -i %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i %i -o eth0 -j ACCEPT;
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i eth0 -o %i -j ACCEPT;
When, on the server, I switch to FirewallBackend=nftables
and restart firewalld and do wg-quick up wg0 then I can no longer access the DNS resolver on the wireguard server's public IPv4 & IPv6 address from the client. If I change the DNS in the client's wireguard config to 9.9.9.9 & 2620:fe::fe then resolving on the client works fine. So somehow the iptables and nftables backend handle this differently (or the firewall-cmd rules are wrong?).
Anyone know how to make this work with the nftables backend? Please let me know if you need any other information. Thanks!
Best, Patrick
firewalld-users@lists.fedorahosted.org