Hello,
So I've been following firewalld, and previously I was under the assumption that a particular feature wasn't yet there. Now it seems that it is.
I have a machine that is on a DMZ so we have an eternal router which hands out a private subnet ips, but forwards all traffic to one machine in that subnet. That machine runs Fedora 19 (firewalld-0.3.3-2).
I'm wondering if with the 'sources' option I can open particular services (lets say nfs for example) to the internal subnet, but not the external. Is that the correct understanding of what is meant by sources?
If that is the case are there docs/examples of how to create a configuration where some services are allowed by all connections, and others are allowed based on source?
On 06/20/2013 05:16 PM, Nathanael D. Noblet wrote:
Hello,
So I've been following firewalld, and previously I was under the assumption that a particular feature wasn't yet there. Now it seems that it is.
I have a machine that is on a DMZ so we have an eternal router which hands out a private subnet ips, but forwards all traffic to one machine in that subnet. That machine runs Fedora 19 (firewalld-0.3.3-2).
I'm wondering if with the 'sources' option I can open particular services (lets say nfs for example) to the internal subnet, but not the external. Is that the correct understanding of what is meant by sources?
Yes it is.
If that is the case are there docs/examples of how to create a configuration where some services are allowed by all connections, and others are allowed based on source?
You have two choices:
1) You can bind a zone to the internal subnet (e.g. 192.168.2.1/24) and use another or the default zone for the external subnet.
2) You can use rich language rules and add the source for the rules. (See https://fedoraproject.org/wiki/Features/FirewalldRichLanguage for examples). The GUI (firewall-config) is not able to handle rich rules yet. But we are working on this.
Thomas
firewalld-users@lists.fedorahosted.org