Hi, I'm struggling to set up firewalld to pass traffic between 2 networks. Is this possible with firewalld?
My lab setup is: Server (ens192:192.168.3.2) <-> (ens224:192.168.3.1) firewall (ens192:192.168.110.8) <-> (ens192:192.168.110.9) client Freshly installed CentOS 8.2 (2004), server installation with no GUI on all 3 VMs.
[root@firewall ~]# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
Client can ping Server [root@client ~]# ping -c 3 192.168.3.2 PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data. 64 bytes from 192.168.3.2: icmp_seq=1 ttl=63 time=0.530 ms 64 bytes from 192.168.3.2: icmp_seq=2 ttl=63 time=0.552 ms 64 bytes from 192.168.3.2: icmp_seq=3 ttl=63 time=0.444 ms
Client can't get to the server's ssh port. [root@client ~]# nc 192.168.3.2 22 Ncat: No route to host.
[root@firewall ~]# systemctl stop firewalld
[root@client ~]# nc 192.168.3.2 22 SSH-2.0-OpenSSH_8.0
So far things are working as expected.
I configure firewalld as follows: [root@firewall ~]# systemctl start firewalld [root@firewall ~]# firewall-cmd --version 0.8.0 [root@firewall ~]# firewall-cmd --zone=public --remove-interface=ens192 success [root@firewall ~]# firewall-cmd --zone=public --remove-interface=ens224 success [root@firewall ~]# firewall-cmd --zone=dmz --add-interface=ens224 success [root@firewall ~]# firewall-cmd --zone=internal --add-interface=ens192 success [root@firewall ~]# firewall-cmd --zone=internal --add-rich-rule='rule family=ipv4 source address=192.168.110.9/32 destination address=192.168.3.2/32 service name=ssh accept' success [root@firewall ~]# firewall-cmd --zone=internal --list-all internal (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.110.9/32" destination address="192.168.3.2/32" service name="ssh" accept [root@firewall ~]# firewall-cmd --zone=dmz --list-all dmz (active) target: default icmp-block-inversion: no interfaces: ens224 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@client ~]# nc 192.168.3.2 22 Ncat: No route to host.
Shouldn't this work? What am I missing?
I spent most of yesterday on this and found only 2 threads on the same subject but unfortunately there were no answers. All other discussions were using NAT, which I don't need nor want.
After more research it appears that this is expected in v8.0 and the functionality should be implemented in v9.x of firewalld.
So, I installed the latest version of Fedora and installed firewalld 9.1. Unfortunately I get the exact same results.
[root@firewall ~]# firewall-cmd --version 0.9.1 [root@firewall ~]# tail -1 /etc/firewalld/firewalld.conf AllowZoneDrifting=yes
Any help with a solution for this would be much appreciated.
Regards, Rob
On Sun, Nov 08, 2020 at 05:22:52AM -0000, Robert Smuhar wrote:
I spent most of yesterday on this and found only 2 threads on the same subject but unfortunately there were no answers. All other discussions were using NAT, which I don't need nor want.
After more research it appears that this is expected in v8.0 and the functionality should be implemented in v9.x of firewalld.
So, I installed the latest version of Fedora and installed firewalld 9.1. Unfortunately I get the exact same results.
[root@firewall ~]# firewall-cmd --version 0.9.1 [root@firewall ~]# tail -1 /etc/firewalld/firewalld.conf AllowZoneDrifting=yes
This is strongly discouraged. The default is "no". I suggest leaving it as "no".
Any help with a solution for this would be much appreciated.
Simply upgrade to v0.9.z is not enough. You need to add the rules to allow the traffic. This means creating a policy.
I'm guessing based of your original email, but maybe this is what you want:
# firewall-cmd --permanent --new-policy internalToDmz # firewall-cmd --permanent --policy internalToDmz --add-ingress-zone internal # firewall-cmd --permanent --policy internalToDmz --add-egress-zone dmz # firewall-cmd --permanent --policy internalToDmz --add-service ssh # firewall-cmd --reload
This creates a policy that allows SSH connections from the zone internal to zone dmz.
On 08/11/2020 10:03, Robert Smuhar wrote:
Hi, I'm struggling to set up firewalld to pass traffic between 2 networks. Is this possible with firewalld?
My lab setup is: Server (ens192:192.168.3.2) <-> (ens224:192.168.3.1) firewall (ens192:192.168.110.8) <-> (ens192:192.168.110.9) client Freshly installed CentOS 8.2 (2004), server installation with no GUI on all 3 VMs.
I think I understand you and I think I have much the same setup. I don't know if this is of any help.
Server (enp1s0:192.168.122.26) <-> (virb0:192.168.122.1) firewall (wlp4s0:192.168.2.127) <-> (wlp6s0:192.168.2.116) client
firewall=meimei, client=acer, server=f33k
[root@meimei ~]# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
[root@meimei ~]# firewall-cmd --get-active-zones libvirt interfaces: virbr0 public interfaces: enp2s0 trusted interfaces: wlp4s0
[root@meimei ~]# firewall-cmd --version 0.8.4
[egreshko@acer ~]$ traceroute 192.168.122.26 traceroute to 192.168.122.26 (192.168.122.26), 30 hops max, 60 byte packets 1 192.168.2.127 (192.168.2.127) 2.735 ms 2.862 ms 3.540 ms 2 192.168.122.26 (192.168.122.26) 4.319 ms !X 4.493 ms !X 4.629 ms !X
[egreshko@acer ~]$ ping -c 2 192.168.122.26 PING 192.168.122.26 (192.168.122.26) 56(84) bytes of data. 64 bytes from 192.168.122.26: icmp_seq=1 ttl=63 time=3.26 ms 64 bytes from 192.168.122.26: icmp_seq=2 ttl=63 time=3.01 ms
[egreshko@acer ~]$ ssh 192.168.122.26 egreshko@192.168.122.26's password: Last login: Sun Nov 8 14:04:25 2020 from 192.168.2.116
[root@meimei ~]# firewall-cmd --zone=libvirt --list-all libvirt (active) target: ACCEPT icmp-block-inversion: no interfaces: virbr0 sources: services: dhcp dhcpv6 dns mountd nfs nfs3 rpc-bind ssh ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
[root@meimei ~]# firewall-cmd --zone=trusted --list-all trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: wlp4s0 sources: services: dns kdeconnect mdns mountd nfs nfs3 rpc-bind samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
G'day Ed,
Thank you for the feedback.
From my testing I found that if a zone has "target: ACCEPT" then all traffic passes through firewalld even if you have a rich-rule to explicitly drop/reject a host/network/service. You might as well disable firewalld.
To me it seems that firewalld is only a host based firewall and not a perimeter firewall to block/allow access to your network... unless your NATing.
On Sun, Nov 08, 2020 at 02:03:37AM -0000, Robert Smuhar wrote:
Hi, I'm struggling to set up firewalld to pass traffic between 2 networks. Is this possible with firewalld?
Until v0.9.0 firewalld was effectively an end station firewall. This means it did not support FORWARD filtering.
My lab setup is: Server (ens192:192.168.3.2) <-> (ens224:192.168.3.1) firewall (ens192:192.168.110.8) <-> (ens192:192.168.110.9) client Freshly installed CentOS 8.2 (2004), server installation with no GUI on all 3 VMs.
[root@firewall ~]# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
Client can ping Server [root@client ~]# ping -c 3 192.168.3.2 PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data. 64 bytes from 192.168.3.2: icmp_seq=1 ttl=63 time=0.530 ms 64 bytes from 192.168.3.2: icmp_seq=2 ttl=63 time=0.552 ms 64 bytes from 192.168.3.2: icmp_seq=3 ttl=63 time=0.444 ms
ICMP works because zones with a target of "default" will explicitly allow FORWARDed ICMP packets.
Client can't get to the server's ssh port. [root@client ~]# nc 192.168.3.2 22 Ncat: No route to host.
However, SSH is dropped because there are on FORWARD rules to allow it. Older firewalld versions do _not_ support FORWARD filtering.
[root@firewall ~]# systemctl stop firewalld
[root@client ~]# nc 192.168.3.2 22 SSH-2.0-OpenSSH_8.0
So far things are working as expected.
I configure firewalld as follows: [root@firewall ~]# systemctl start firewalld [root@firewall ~]# firewall-cmd --version 0.8.0 [root@firewall ~]# firewall-cmd --zone=public --remove-interface=ens192 success [root@firewall ~]# firewall-cmd --zone=public --remove-interface=ens224 success [root@firewall ~]# firewall-cmd --zone=dmz --add-interface=ens224 success [root@firewall ~]# firewall-cmd --zone=internal --add-interface=ens192 success [root@firewall ~]# firewall-cmd --zone=internal --add-rich-rule='rule family=ipv4 source address=192.168.110.9/32 destination address=192.168.3.2/32 service name=ssh accept' success
rich rules added to a zone will filter on the INPUT. It will _not_ filter FORWARDed packets.
[root@firewall ~]# firewall-cmd --zone=internal --list-all internal (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.110.9/32" destination address="192.168.3.2/32" service name="ssh" accept [root@firewall ~]# firewall-cmd --zone=dmz --list-all dmz (active) target: default icmp-block-inversion: no interfaces: ens224 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@client ~]# nc 192.168.3.2 22 Ncat: No route to host.
Shouldn't this work? What am I missing?
No. Newer firewalld version have native support for FORWARD and OUTPUT filtering.
See these posts:
- https://firewalld.org/2020/09/policy-objects-introduction - https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traf...
G'day Eric,
Thank you for the feedback and the example. It is much appreciated.
This worked in my lab setup:
[root@firewall ~]# firewall-cmd --permanent --zone=FedoraServer --remove-interface=ens192 [root@firewall ~]# firewall-cmd --permanent --zone=FedoraServer --remove-interface=ens224 [root@firewall ~]# firewall-cmd --permanent --zone=dmz --add-interface=ens224 [root@firewall ~]# firewall-cmd --permanent --zone=internal --add-interface=ens192 [root@firewall ~]# firewall-cmd --permanent --new-policy InternalToDmz [root@firewall ~]# firewall-cmd --permanent --policy InternalToDmz --add-ingress-zone internal [root@firewall ~]# firewall-cmd --permanent --policy InternalToDmz --add-egress-zone dmz [root@firewall ~]# firewall-cmd --permanent --policy InternalToDmz --add-service ssh [root@firewall ~]# firewall-cmd --reload
So what is the "destination address=" parameter in the rich-rule for?
Also, would you have any ideas when firewalld v0.9.x will make it into the CentOS build?
Rob
On Tue, Nov 10, 2020 at 09:53:46AM -0000, Robert Smuhar wrote:
G'day Eric,
Thank you for the feedback and the example. It is much appreciated.
This worked in my lab setup:
[root@firewall ~]# firewall-cmd --permanent --zone=FedoraServer --remove-interface=ens192 [root@firewall ~]# firewall-cmd --permanent --zone=FedoraServer --remove-interface=ens224 [root@firewall ~]# firewall-cmd --permanent --zone=dmz --add-interface=ens224 [root@firewall ~]# firewall-cmd --permanent --zone=internal --add-interface=ens192 [root@firewall ~]# firewall-cmd --permanent --new-policy InternalToDmz [root@firewall ~]# firewall-cmd --permanent --policy InternalToDmz --add-ingress-zone internal [root@firewall ~]# firewall-cmd --permanent --policy InternalToDmz --add-egress-zone dmz [root@firewall ~]# firewall-cmd --permanent --policy InternalToDmz --add-service ssh [root@firewall ~]# firewall-cmd --reload
So what is the "destination address=" parameter in the rich-rule for?
It matches the destination IP address.
Also, would you have any ideas when firewalld v0.9.x will make it into the CentOS build?
Probably not until CentOS 8.5 or later.
firewalld-users@lists.fedorahosted.org