Dear All
I am new to firewalld so I probably do not have understand all. I have a firewall with 3 interfaces: external connected to wan, internal connected to lan and dmz connected to a server which host web server, mail server (fixed IP 192.168.8.3).
Firewalld configuration is as follow:
firewall-cmd --zone=internal --list-all internal (active) target: default icmp-block-inversion: no interfaces: enx000ec68f6b7d sources: services: dhcp dhcpv6-client dns http https imap imaps mdns nfs ntp pop3 pop3s smtp smtps ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
firewall-cmd --zone=external --list-all external (active) target: default icmp-block-inversion: no interfaces: enxb827ebe2899e sources: services: ssh ports: protocols: masquerade: yes forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.8.3 port=443:proto=tcp:toport=:toaddr=192.168.8.3 port=143:proto=tcp:toport=:toaddr=192.168.8.3 port=993:proto=tcp:toport=:toaddr=192.168.8.3 port=995:proto=tcp:toport=:toaddr=192.168.8.3 port=110:proto=tcp:toport=:toaddr=192.168.8.3 port=25:proto=tcp:toport=:toaddr=192.168.8.3 port=465:proto=tcp:toport=:toaddr=192.168.8.3 port=587:proto=tcp:toport=:toaddr=192.168.8.3 source-ports: icmp-blocks: rich rules:
firewall-cmd --zone=dmz --list-all dmz (active) target: default icmp-block-inversion: no interfaces: enx00e04c36084a sources: services: dhcp dns ntp ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
From a computer in the LAN, I can ping the DMZ server but I cannot ssh into it. FINAL_REJECT: IN=enx000ec68f6b7d OUT=enx00e04c36084a MAC=00:0e:c6:8f:6b:7d:30:85:a9:0e:22:56:08:00 SRC=192.168.65.14 DST=192.168.8.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32158 DF PROTO=TCP SPT=32770 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
If I turn off Firewalld I can ssh into it. This means I have done a mistake in my configuration but I did not find it.
After reading docs and trying different things, including rich-rule like firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source address="192.168.65.0/24" accept'
I am still stucked.
Could someone point me in the right direction ?
On Sat, Apr 11, 2020 at 05:32:48PM +0200, Jack.R wrote:
Dear All
I am new to firewalld so I probably do not have understand all. I have a firewall with 3 interfaces: external connected to wan, internal connected to lan and dmz connected to a server which host web server, mail server (fixed IP 192.168.8.3).
Firewalld configuration is as follow:
firewall-cmd --zone=internal --list-all internal (active) target: default icmp-block-inversion: no interfaces: enx000ec68f6b7d sources: services: dhcp dhcpv6-client dns http https imap imaps mdns nfs ntp pop3 pop3s smtp smtps ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
firewall-cmd --zone=external --list-all external (active) target: default icmp-block-inversion: no interfaces: enxb827ebe2899e sources: services: ssh ports: protocols: masquerade: yes forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.8.3 port=443:proto=tcp:toport=:toaddr=192.168.8.3 port=143:proto=tcp:toport=:toaddr=192.168.8.3 port=993:proto=tcp:toport=:toaddr=192.168.8.3 port=995:proto=tcp:toport=:toaddr=192.168.8.3 port=110:proto=tcp:toport=:toaddr=192.168.8.3 port=25:proto=tcp:toport=:toaddr=192.168.8.3 port=465:proto=tcp:toport=:toaddr=192.168.8.3 port=587:proto=tcp:toport=:toaddr=192.168.8.3 source-ports: icmp-blocks: rich rules:
firewall-cmd --zone=dmz --list-all dmz (active) target: default icmp-block-inversion: no interfaces: enx00e04c36084a sources: services: dhcp dns ntp ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
From a computer in the LAN, I can ping the DMZ server but I cannot ssh into it. FINAL_REJECT: IN=enx000ec68f6b7d OUT=enx00e04c36084a MAC=00:0e:c6:8f:6b:7d:30:85:a9:0e:22:56:08:00 SRC=192.168.65.14 DST=192.168.8.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32158 DF PROTO=TCP SPT=32770 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
If I turn off Firewalld I can ssh into it. This means I have done a mistake in my configuration but I did not find it.
After reading docs and trying different things, including rich-rule like firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source address="192.168.65.0/24" accept'
I am still stucked.
Could someone point me in the right direction ?
The packets from internal --> dmz are subject to FORWARD filtering. Since the "internal" zone is using --set-target=default it is subject to the rules documented in the man page [1] (specifically #2 in section for --set-target). With your configuration this results in the FINAL_REJECT you show above.
Firewalld does not directly support forward filtering. However there is at least one workaround for your scenario:
1) Use the trusted zone instead of internal zone This will allow all forwarded traffic from the trusted zone to other zones. WARNING: This will allow ALL traffic to the host as well.
2) Use a direct rule (will NOT work with nftables backend) Newer firewalld defaults to nftables, so this is not recommended. But you use a direct rule to allow traffic from interface enx000ec68f6b7d (internal) to enx00e04c36084a (dmz).
# firewall-cmd --direct --add-rule ipv4 FORWARD 0 -i enx000ec68f6b7d -o enx00e04c36084a -j ACCEPT
Hope that helps. Eric.
[1] https://firewalld.org/documentation/man-pages/firewall-cmd.html
Le Mon, 13 Apr 2020 07:59:43 -0400, Eric Garver egarver@redhat.com a écrit :
On Sat, Apr 11, 2020 at 05:32:48PM +0200, Jack.R wrote:
Dear All
I am new to firewalld so I probably do not have understand all. I have a firewall with 3 interfaces: external connected to wan, internal connected to lan and dmz connected to a server which host web server, mail server (fixed IP 192.168.8.3).
Firewalld configuration is as follow:
firewall-cmd --zone=internal --list-all internal (active) target: default icmp-block-inversion: no interfaces: enx000ec68f6b7d sources: services: dhcp dhcpv6-client dns http https imap imaps mdns nfs ntp pop3 pop3s smtp smtps ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
firewall-cmd --zone=external --list-all external (active) target: default icmp-block-inversion: no interfaces: enxb827ebe2899e sources: services: ssh ports: protocols: masquerade: yes forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.8.3 port=443:proto=tcp:toport=:toaddr=192.168.8.3 port=143:proto=tcp:toport=:toaddr=192.168.8.3 port=993:proto=tcp:toport=:toaddr=192.168.8.3 port=995:proto=tcp:toport=:toaddr=192.168.8.3 port=110:proto=tcp:toport=:toaddr=192.168.8.3 port=25:proto=tcp:toport=:toaddr=192.168.8.3 port=465:proto=tcp:toport=:toaddr=192.168.8.3 port=587:proto=tcp:toport=:toaddr=192.168.8.3 source-ports: icmp-blocks: rich rules:
firewall-cmd --zone=dmz --list-all dmz (active) target: default icmp-block-inversion: no interfaces: enx00e04c36084a sources: services: dhcp dns ntp ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
From a computer in the LAN, I can ping the DMZ server but I cannot ssh into it. FINAL_REJECT: IN=enx000ec68f6b7d OUT=enx00e04c36084a MAC=00:0e:c6:8f:6b:7d:30:85:a9:0e:22:56:08:00 SRC=192.168.65.14 DST=192.168.8.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32158 DF PROTO=TCP SPT=32770 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
If I turn off Firewalld I can ssh into it. This means I have done a mistake in my configuration but I did not find it.
After reading docs and trying different things, including rich-rule like firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source address="192.168.65.0/24" accept'
I am still stucked.
Could someone point me in the right direction ?
The packets from internal --> dmz are subject to FORWARD filtering. Since the "internal" zone is using --set-target=default it is subject to the rules documented in the man page [1] (specifically #2 in section for --set-target). With your configuration this results in the FINAL_REJECT you show above.
Firewalld does not directly support forward filtering. However there is at least one workaround for your scenario:
1) Use the trusted zone instead of internal zone This will allow all forwarded traffic from the trusted zone to other zones. WARNING: This will allow ALL traffic to the host
as well.
2) Use a direct rule (will NOT work with nftables backend) Newer firewalld defaults to nftables, so this is not
recommended. But you use a direct rule to allow traffic from interface enx000ec68f6b7d (internal) to enx00e04c36084a (dmz).
# firewall-cmd --direct --add-rule ipv4 FORWARD 0 -i
enx000ec68f6b7d -o enx00e04c36084a -j ACCEPT
Hope that helps. Eric.
[1] https://firewalld.org/documentation/man-pages/firewall-cmd.html _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Hi Eric,
Your explanation is crystal clear, I completely miss what the --set-target=default imply.
I am using the nftables backend, so I cannot use your second workaround. Will use the trusted zone till I have learned enough on nftables to write directly my own table/chain/rules and reduce that open bar.
Thanks a lot !
firewalld-users@lists.fedorahosted.org