I am trying to recreate an existing firewall configuration created in Firewall Builder using Firewalld. It runs on a router that controls traffic in and out of our company network. The existing configuration has rules that permit traffic to be relayed out on specified ports for specified addresses on the internal network. For example: a list of addresses are allowed to get out on ports 80 and 443 for http and https traffic, any other internal machines are denied. I currently have the external interface in the external zone, and the internal interface in the public zone, with the following configuration: external (active) target: DROP icmp-block-inversion: no interfaces: ens2f1 sources: services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: %%REJECT%% icmp-block-inversion: no interfaces: ens2f0 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
I have found examples of direct interface rules for allowing traffic out, but is there any other way (rich rule or something else I'm overlooking) to unblock traffic like the log excerpt below? As far as I can tell a rich rule with an element of service and an action of accept only allows traffic to the router, not passing through the router. kernel: [21251.995383] FWDI_public_REJECT: IN=ens2f0 OUT=ens2f1 MAC=00:1e:67:7c:95:6c:f8:16:54:37:3a:e3:08:00 SRC=192.168.10.195 DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35016 DF PROTO=TCP SPT=45504 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
On Thu, Jun 07, 2018 at 04:38:16PM -0500, Michael Crider - HOEC wrote:
I am trying to recreate an existing firewall configuration created in Firewall Builder using Firewalld. It runs on a router that controls traffic in and out of our company network. The existing configuration has rules that permit traffic to be relayed out on specified ports for specified addresses on the internal network. For example: a list of addresses are allowed to get out on ports 80 and 443 for http and https traffic, any other internal machines are denied. I currently have the external interface in the external zone, and the internal interface in the public zone, with the following configuration: external (active) target: DROP icmp-block-inversion: no interfaces: ens2f1 sources: services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: %%REJECT%% icmp-block-inversion: no interfaces: ens2f0 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
I have found examples of direct interface rules for allowing traffic out, but is there any other way (rich rule or something else I'm overlooking) to unblock traffic like the log excerpt below? As far as I can tell a rich rule with an element of service and an action of accept only allows traffic to the router, not passing through the router.
No. Currently, firewalld is more of an end-station firewall. There are RFEs to implement OUTPUT [0] and FORWARD [1] filtering. I suspect these will be implemented via rich rules.
Right now the only option is to use direct rules.
[0] https://github.com/firewalld/firewalld/issues/32 [1] https://github.com/firewalld/firewalld/issues/2
That's sad (I can't find a good synonym, sorry)
Firewalld can't compete with shorewall but shw disappear from lot of major Linux distribution...
Shw is a much better tool, can't understand which program May replace it...
On Fri, Jun 08, 2018 at 10:47:52PM +0200, Jérôme Avond wrote:
That's sad (I can't find a good synonym, sorry)
Firewalld can't compete with shorewall but shw disappear from lot of major Linux distribution...
Shw is a much better tool, can't understand which program May replace it...
Pull Requests are usually accepted upstream. :)
https://github.com/firewalld/firewalld/pulls
-- Jérôme Avond - aka jadjay Agitateur chez Alolise depuis avril 2005 ... et président depuis 2014
mail/xmpp : jerome.avond@alolise.org mobile : 0661469785
Alolise est membre du collectif C.H.A.T.O.N.S
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Le 8 juin 2018 14:36:03 GMT+02:00, Eric Garver egarver@redhat.com a écrit :
On Thu, Jun 07, 2018 at 04:38:16PM -0500, Michael Crider - HOEC wrote:
I am trying to recreate an existing firewall configuration created in Firewall Builder using Firewalld. It runs on a router that controls
traffic
in and out of our company network. The existing configuration has
rules that
permit traffic to be relayed out on specified ports for specified
addresses
on the internal network. For example: a list of addresses are allowed
to get
out on ports 80 and 443 for http and https traffic, any other
internal
machines are denied. I currently have the external interface in the
external
zone, and the internal interface in the public zone, with the
following
configuration: external (active) target: DROP icmp-block-inversion: no interfaces: ens2f1 sources: services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: %%REJECT%% icmp-block-inversion: no interfaces: ens2f0 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
I have found examples of direct interface rules for allowing traffic
out,
but is there any other way (rich rule or something else I'm
overlooking) to
unblock traffic like the log excerpt below? As far as I can tell a
rich rule
with an element of service and an action of accept only allows
traffic to
the router, not passing through the router.
No. Currently, firewalld is more of an end-station firewall. There are RFEs to implement OUTPUT [0] and FORWARD [1] filtering. I suspect these will be implemented via rich rules.
Right now the only option is to use direct rules.
[0] https://github.com/firewalld/firewalld/issues/32 [1] https://github.com/firewalld/firewalld/issues/2 _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/firewalld-users@lists.fedoraho...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/firewalld-users@lists.fedoraho...
firewalld-users@lists.fedorahosted.org