Hi, I'm using firewalld in a locale net, and I set it's zone as "Home". I had set up some servers by Docker, and it expose ports to foreign. Such 9000, 2342 and etc.
These ports could be accessed by others always. How do I make these ports works like build-in service?( Such cockpit, it clould be accessed by others only when I add it's to zone. )
On Tue, Jun 29, 2021 at 06:01:36AM -0000, DragonBillow Zhang wrote:
Hi, I'm using firewalld in a locale net, and I set it's zone as "Home".
What do you mean by "set it's zone as home"? Do you mean you set the default zone to home? If so, that's why. All packets not assigned to a zone fall to the default zone.
I had set up some servers by Docker, and it expose ports to foreign. Such 9000, 2342 and etc.
These ports could be accessed by others always. How do I make these ports works like build-in service?( Such cockpit, it clould be accessed by others only when I add it's to zone. )
On Tue, Jun 29, 2021 at 06:01:36AM -0000, DragonBillow Zhang wrote:
What do you mean by "set it's zone as home"? Do you mean you set the default zone to home? If so, that's why. All packets not assigned to a zone fall to the default zone.
The default zone of firewalld is Public, but the activated zone is home. Run commands as:
``` # firewall-cmd --get-default-zone public # firewall-cmd --get-active-zones docker interfaces: br-06ed83c1b88d br-09ee97155bb0 br-828f7b8ffdb4 docker0 home interfaces: wlp2s0 ``` I'm now connect to a family WIFI, so I set it's zone to "home".
All packets not assigned to a zone fall to the default zone.
How do I assign packets? I try to set default zone to "block" so reject these ports's packets, but it works as before.
On Tue, Jun 29, 2021 at 12:52:42PM -0000, DragonBillow Zhang wrote:
On Tue, Jun 29, 2021 at 06:01:36AM -0000, DragonBillow Zhang wrote:
What do you mean by "set it's zone as home"? Do you mean you set the default zone to home? If so, that's why. All packets not assigned to a zone fall to the default zone.
The default zone of firewalld is Public, but the activated zone is home. Run commands as:
# firewall-cmd --get-default-zone public # firewall-cmd --get-active-zones docker interfaces: br-06ed83c1b88d br-09ee97155bb0 br-828f7b8ffdb4 docker0 home interfaces: wlp2s0
I'm now connect to a family WIFI, so I set it's zone to "home".
All packets not assigned to a zone fall to the default zone.
How do I assign packets? I try to set default zone to "block" so reject these ports's packets, but it works as before.
By assigning an interface/source to the zone.
How are you exposing ports to the docker containers? via docker? These are Destination Network Address Translation (DNAT) and get added to the PREROUTING nat chains with no scoping to ingress interface or source addresses.
I think you should be able to use a firewalld policy (v0.9.0+) to restrict the port forwarding. The above mentioned DNAT will still occur, but the policy will block the traffic later on in the pipeline.
This example blocks all traffic to the docker containers except those from 192.168.0.0/16 network. This is just an example. Change the address to whatever you need.
# firewall-cmd --permanent --new-policy worldToDocker # firewall-cmd --permanent --policy worldToDocker --add-ingress-zone ANY # firewall-cmd --permanent --policy worldToDocker --add-egress-zone docker # firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv4 source not address=192.168.0.0/16 drop' # firewall-cmd --reload
I'm sorry for reply too later. The last email was rejected :(, so I need rewrite a mail.
I had made a policy as follows:
# firewall-cmd --permanent --new-policy worldToDocker # firewall-cmd --permanent --policy worldToDocker --add-ingress-zone ANY # firewall-cmd --permanent --policy worldToDocker --add-egress-zone docker # firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv4 source not address=127.0.0.1 reject' # firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv6 source not address=[::1] reject' # firewall-cmd --reload
In this policy, I guess all packets not coming from 127.0.0.1 will be rejected. But it seems not work for me.
It seems not possible to manage docker's packets by firewalld after searching PREROUTING a lot.
I try to set zone "docker" to "reject", which can work a little, it's means all web ports opend by docker can be access but can't work normally.
Although docker has integration with firewalld (https://docs.docker.com/network/iptables/#integration-with-firewalld). But docker can play with iptables just.
I had give podman a try, but seems. :(
Anyway, I'd appreciate for your help. :)
On Wed, Jun 30, 2021 at 10:58:03AM -0000, DragonBillow Zhang wrote:
I'm sorry for reply too later. The last email was rejected :(, so I need rewrite a mail.
I had made a policy as follows:
# firewall-cmd --permanent --new-policy worldToDocker # firewall-cmd --permanent --policy worldToDocker --add-ingress-zone ANY # firewall-cmd --permanent --policy worldToDocker --add-egress-zone docker # firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv4 source not address=127.0.0.1 reject' # firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv6 source not address=[::1] reject' # firewall-cmd --reload
In this policy, I guess all packets not coming from 127.0.0.1 will be rejected. But it seems not work for me.
Correct. However, using a loopback 127.0.0.1 doesn't make any sense here. The above policy applies to forwarded packets. Packets to 127.0.0.1 will never be forwarded.
It seems not possible to manage docker's packets by firewalld after searching PREROUTING a lot.
I try to set zone "docker" to "reject", which can work a little, it's means all web ports opend by docker can be access but can't work normally.
Are you trying to filter traffic destined to a container?
Or, are you trying to filter traffic originating from a container?
On Wed, Jun 30, 2021 at 10:58:03AM -0000, DragonBillow Zhang wrote:
Correct. However, using a loopback 127.0.0.1 doesn't make any sense here. The above policy applies to forwarded packets. Packets to 127.0.0.1 will never be forwarded.
Are you trying to filter traffic destined to a container?
Or, are you trying to filter traffic originating from a container?
No, I'm not familiar with iptables, so I don't know how to set it. What puzzles me most is firewalld use nft as it's backend, why iptables involves this? And firewall-cmd --direct also be titled with "These options require user to know basic iptables concepts". iptables should be diabled already on my desktop.
On Wed, Jun 30, 2021 at 12:44:29PM -0000, DragonBillow Zhang wrote:
On Wed, Jun 30, 2021 at 10:58:03AM -0000, DragonBillow Zhang wrote:
Correct. However, using a loopback 127.0.0.1 doesn't make any sense here. The above policy applies to forwarded packets. Packets to 127.0.0.1 will never be forwarded.
Are you trying to filter traffic destined to a container?
Or, are you trying to filter traffic originating from a container?
No, I'm not familiar with iptables, so I don't know how to set it. What puzzles me most is firewalld use nft as it's backend, why iptables involves this?
Docker and Podman still use iptables.
And firewall-cmd --direct also be titled with "These options require user to know basic iptables concepts". iptables should be diabled already on my desktop.
Unlikely. Almost all distributions have iptables enabled.
firewalld-users@lists.fedorahosted.org