On Thu, May 04, 2023 at 01:18:27PM +0000, Will Furnell - STFC UKRI wrote: [..]
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
No. But you can use a policy to common-ize some things. The below policy applies to both zones, icinga and public.
e.g.
# firewall-cmd --permanent --new-policy mypolicy # firewall-cmd --permanent --policy mypolicy --add-ingress-zone icinga # firewall-cmd --permanent --policy mypolicy --add-ingress-zone public # firewall-cmd --permanent --policy mypolicy --add-egress-zone HOST # firewall-cmd --permanent --policy mypolicy --add-service cinga # firewall-cmd --reload
Then you could add your unique services, e.g. https, to the public zone or a separate policy.
Hope that helps. Eric.
https://firewalld.org/documentation/concepts.html https://firewalld.org/2020/09/policy-objects-introduction
On 04.05.2023 22:58, Eric Garver wrote:
On Thu, May 04, 2023 at 01:18:27PM +0000, Will Furnell - STFC UKRI wrote: [..]
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
No. But you can use a policy to common-ize some things. The below policy applies to both zones, icinga and public.
e.g.
# firewall-cmd --permanent --new-policy mypolicy # firewall-cmd --permanent --policy mypolicy --add-ingress-zone icinga # firewall-cmd --permanent --policy mypolicy --add-ingress-zone public # firewall-cmd --permanent --policy mypolicy --add-egress-zone HOST # firewall-cmd --permanent --policy mypolicy --add-service cinga
This will open service cinga to all hosts in public zone while the intent is to open it only to hosts in icinga zone.
I suppose one could implement target=CONTINUE for source zones for such use cases.
# firewall-cmd --reload
Then you could add your unique services, e.g. https, to the public zone or a separate policy.
Hope that helps. Eric.
https://firewalld.org/documentation/concepts.html https://firewalld.org/2020/09/policy-objects-introduction _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Fri, May 05, 2023 at 07:23:47AM +0300, Andrei Borzenkov wrote:
On 04.05.2023 22:58, Eric Garver wrote:
On Thu, May 04, 2023 at 01:18:27PM +0000, Will Furnell - STFC UKRI wrote: [..]
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
No. But you can use a policy to common-ize some things. The below policy applies to both zones, icinga and public.
e.g.
# firewall-cmd --permanent --new-policy mypolicy # firewall-cmd --permanent --policy mypolicy --add-ingress-zone icinga # firewall-cmd --permanent --policy mypolicy --add-ingress-zone public # firewall-cmd --permanent --policy mypolicy --add-egress-zone HOST # firewall-cmd --permanent --policy mypolicy --add-service cinga
This will open service cinga to all hosts in public zone while the intent is to open it only to hosts in icinga zone.
Right. My bad. Concept still applies though. OP wanted to expose http to both. I used the wrong service.
Should be:
# firewall-cmd --permanent --policy mypolicy --add-service http
Thank you very much - unfortunately that has not solved my problem - for example, I have port 22 for SSH open in the public zone, which has no source restrictions:
<zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="cockpit"/> <forward/> </zone>
And the Icinga zone as in previous emails, and the new policy as follows:
<policy target="CONTINUE"> <service name="icinga"/> <ingress-zone name="icinga"/> <ingress-zone name="public"/> <egress-zone name="HOST"/> </policy>
But it still seems that the servers in the icinga ipset cannot SSH to the server that has this firewall - they _only_ are allowed to access the icinga service. Basically I want to restrict who can access the icinga port, but otherwise let any servers, including the icinga servers themselves, access any other services - and do this in a way that allows me, the monitoring admin to only need to drop in XML files or something similar via an RPM,
Thank you,
Will.
-----Original Message----- From: Eric Garver egarver@redhat.com Sent: 04 May 2023 20:58 To: Furnell, Will (STFC,RAL,SC) will.furnell@stfc.ac.uk Cc: firewalld-users@lists.fedorahosted.org Subject: Re: Evaluating monitoring rules in multiple zones (public and another zone)
On Thu, May 04, 2023 at 01:18:27PM +0000, Will Furnell - STFC UKRI wrote: [..]
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
No. But you can use a policy to common-ize some things. The below policy applies to both zones, icinga and public.
e.g.
# firewall-cmd --permanent --new-policy mypolicy # firewall-cmd --permanent --policy mypolicy --add-ingress-zone icinga # firewall-cmd --permanent --policy mypolicy --add-ingress-zone public # firewall-cmd --permanent --policy mypolicy --add-egress-zone HOST # firewall-cmd --permanent --policy mypolicy --add-service cinga # firewall-cmd --reload
Then you could add your unique services, e.g. https, to the public zone or a separate policy.
Hope that helps. Eric.
https://firewalld.org/documentation/concepts.html https://firewalld.org/2020/09/policy-objects-introduction
firewalld-users@lists.fedorahosted.org