Hello.
I want to routing without NAT (NAPT) on a host with firewalld.
Stack Exchange posts and others have previously recommended using direct rules and not using firewalld.
https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routing-w...
The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0.
Please give me some information, even if it's just a little.
thanks,regards
On Thu, Oct 6, 2022 at 3:32 PM Mototsugu Ohgami gamix255@gmail.com wrote:
Hello.
I want to routing without NAT (NAPT) on a host with firewalld.
Stack Exchange posts and others have previously recommended using direct rules and not using firewalld.
Direct rules are part of firewalld configuration. May be you mean "use iptables directly" without firewalld. This is always an option and you need to decide.
https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routing-w...
The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0.
Please give me some information, even if it's just a little.
firewalld allows traffic between interfaces in the same zone by design.
To manage traffic between different zones use policies: https://firewalld.org/2020/09/policy-objects-introduction
Thank you Andrei.
I was able to avoid the problem this time by assigning the interfaces under the same Zone as you said.
Thank you for your kindness. Many thanks.
2022年10月6日(木) 21:48 Andrei Borzenkov arvidjaar@gmail.com:
On Thu, Oct 6, 2022 at 3:32 PM Mototsugu Ohgami gamix255@gmail.com wrote:
Hello.
I want to routing without NAT (NAPT) on a host with firewalld.
Stack Exchange posts and others have previously recommended using direct rules and not using firewalld.
Direct rules are part of firewalld configuration. May be you mean "use iptables directly" without firewalld. This is always an option and you need to decide.
https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routing-w...
The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0.
Please give me some information, even if it's just a little.
firewalld allows traffic between interfaces in the same zone by design.
To manage traffic between different zones use policies: https://firewalld.org/2020/09/policy-objects-introduction
On Thu, Oct 06, 2022 at 11:35:38AM +0900, Mototsugu Ohgami wrote:
Hello.
I want to routing without NAT (NAPT) on a host with firewalld.
Stack Exchange posts and others have previously recommended using direct rules and not using firewalld.
https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routing-w...
The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0.
Please give me some information, even if it's just a little.
This can be done natively in firewalld with policies [1].
This example allows internal to external. You'll want a second policy for external to internal.. or for whatever zones you are using.
# firewall-cmd --permanent --new-policy intToExt # firewall-cmd --permanent --policy intToExt --add-ingress-zone internal # firewall-cmd --permanent --policy intToExt --add-egress-zone external # firewall-cmd --permanent --policy intToExt --set-target ACCEPT # firewall-cmd --reload
[1]: https://firewalld.org/2020/09/policy-objects-introduction
Thank you Eric.
I got around the problem by assigning the interfaces under the same Zone.
I also tried the policy you gave me, but at that time I was not getting the right configuration due to a more basic parameter mistake.
Thank you for your kindness. Many thanks.
2022年10月7日(金) 1:33 Eric Garver egarver@redhat.com:
On Thu, Oct 06, 2022 at 11:35:38AM +0900, Mototsugu Ohgami wrote:
Hello.
I want to routing without NAT (NAPT) on a host with firewalld.
Stack Exchange posts and others have previously recommended using direct rules and not using firewalld.
https://unix.stackexchange.com/questions/493275/firewalld-to-allow-routing-w...
The backend is nftables. I'm using alma linux 9. So the package version is firewalld-1.0.0.
Please give me some information, even if it's just a little.
This can be done natively in firewalld with policies [1].
This example allows internal to external. You'll want a second policy for external to internal.. or for whatever zones you are using.
# firewall-cmd --permanent --new-policy intToExt # firewall-cmd --permanent --policy intToExt --add-ingress-zone internal # firewall-cmd --permanent --policy intToExt --add-egress-zone external # firewall-cmd --permanent --policy intToExt --set-target ACCEPT # firewall-cmd --reload
firewalld-users@lists.fedorahosted.org
-
Andrei Borzenkov -
Eric Garver -
Mototsugu Ohgami