routing without NAT (NAPT) - firewalld-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

routing without NAT (NAPT)

FirewallD allows all port

New Concepts Page:...

Mototsugu Ohgami

Wednesday, 5 October 2022 Wed, 5 Oct '22

9:35 p.m.

Hello. I want to routing without NAT (NAPT) on a host with firewalld. Stack Exchange posts and others have previously recommended using direct rules and not using firewalld. https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routin... The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0. Please give me some information, even if it's just a little. thanks,regards

Reply

Show replies by date

Andrei Borzenkov

Thursday, 6 October Thu, 6 Oct

7:48 a.m.

On Thu, Oct 6, 2022 at 3:32 PM Mototsugu Ohgami <gamix255(a)gmail.com> wrote:

Hello. I want to routing without NAT (NAPT) on a host with firewalld. Stack Exchange posts and others have previously recommended using direct rules and not using firewalld.

Direct rules are part of firewalld configuration. May be you mean "use iptables directly" without firewalld. This is always an option and you need to decide.

https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routin... The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0. Please give me some information, even if it's just a little.

firewalld allows traffic between interfaces in the same zone by design. To manage traffic between different zones use policies: https://firewalld.org/2020/09/policy-objects-introduction

Reply

Mototsugu Ohgami

3:42 p.m.

Thank you Andrei. I was able to avoid the problem this time by assigning the interfaces under the same Zone as you said. Thank you for your kindness. Many thanks. 2022年10月6日(木) 21:48 Andrei Borzenkov <arvidjaar(a)gmail.com>: > > On Thu, Oct 6, 2022 at 3:32 PM Mototsugu Ohgami <gamix255(a)gmail.com> wrote: > > > > Hello. > > > > I want to routing without NAT (NAPT) on a host with firewalld. > > > > Stack Exchange posts and others have previously recommended using > > direct rules and not using firewalld. > > > > Direct rules are part of firewalld configuration. May be you mean "use > iptables directly" without firewalld. This is always an option and you > need to decide. > > > https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routin... > > > > The backend is nftables. > > I'm using alma linux 9. > > So the package version is firewalld-1.0.0. > > > > Please give me some information, even if it's just a little. > > > > firewalld allows traffic between interfaces in the same zone by design. > > To manage traffic between different zones use policies: > https://firewalld.org/2020/09/policy-objects-introduction

Reply

Eric Garver

11:33 a.m.

On Thu, Oct 06, 2022 at 11:35:38AM +0900, Mototsugu Ohgami wrote:

Hello. I want to routing without NAT (NAPT) on a host with firewalld. Stack Exchange posts and others have previously recommended using direct rules and not using firewalld. https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routin... The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0. Please give me some information, even if it's just a little.

This can be done natively in firewalld with policies [1]. This example allows internal to external. You'll want a second policy for external to internal.. or for whatever zones you are using. # firewall-cmd --permanent --new-policy intToExt # firewall-cmd --permanent --policy intToExt --add-ingress-zone internal # firewall-cmd --permanent --policy intToExt --add-egress-zone external # firewall-cmd --permanent --policy intToExt --set-target ACCEPT # firewall-cmd --reload [1]: https://firewalld.org/2020/09/policy-objects-introduction

Reply

Mototsugu Ohgami

3:45 p.m.

Thank you Eric. I got around the problem by assigning the interfaces under the same Zone. I also tried the policy you gave me, but at that time I was not getting the right configuration due to a more basic parameter mistake. Thank you for your kindness. Many thanks. 2022年10月7日(金) 1:33 Eric Garver <egarver(a)redhat.com>: > > On Thu, Oct 06, 2022 at 11:35:38AM +0900, Mototsugu Ohgami wrote: > > Hello. > > > > I want to routing without NAT (NAPT) on a host with firewalld. > > > > Stack Exchange posts and others have previously recommended using > > direct rules and not using firewalld. > > > > https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routin... > > > > The backend is nftables. > > I'm using alma linux 9. > > So the package version is firewalld-1.0.0. > > > > Please give me some information, even if it's just a little. > > This can be done natively in firewalld with policies [1]. > > This example allows internal to external. You'll want a second policy > for external to internal.. or for whatever zones you are using. > > # firewall-cmd --permanent --new-policy intToExt > # firewall-cmd --permanent --policy intToExt --add-ingress-zone internal > # firewall-cmd --permanent --policy intToExt --add-egress-zone external > # firewall-cmd --permanent --policy intToExt --set-target ACCEPT > # firewall-cmd --reload > > [1]: https://firewalld.org/2020/09/policy-objects-introduction >

Reply

570

days inactive

570

days old

firewalld-users@lists.fedorahosted.org

Manage subscription

4 comments

3 participants

tags (0)

participants (3)

Andrei Borzenkov
Eric Garver
Mototsugu Ohgami