I'm confused about services enabled in a zone because the docs suggest that it allows that service on destinations in the zone to be accessed from sources outside the zone, but then I've seen some places on blogs and forums that suggest that the enabled services for the zone affect outbound connections from sources in the zone. Is it controlling inbound, outbound, or both?
I have an http server in zone1, and I want to allow any source in zone2 to connect to it (but not vice versa). How do I do that? I tried setting a "rich rule" for zone1, but I couldn't figure out how to use zone2 as the source in a rule. Is that not possible?
Thanks! Eric
On Mon, Mar 04, 2019 at 10:44:19PM -0000, Eric Smith wrote:
I'm confused about services enabled in a zone because the docs suggest that it allows that service on destinations in the zone to be accessed from sources outside the zone, but then I've seen some places on blogs and forums that suggest that the enabled services for the zone affect outbound connections from sources in the zone. Is it controlling inbound, outbound, or both?
inbound. Firewalld does not have native support for OUTPUT filtering.
I have an http server in zone1, and I want to allow any source in zone2 to connect to it (but not vice versa). How do I do that? I tried setting a "rich rule" for zone1, but I couldn't figure out how to use zone2 as the source in a rule. Is that not possible?
What you're describing is forward filtering, which firewalld doesn't support.
If zone2 has an "accept" policy (see --set-target, or trusted zone), then it will allow forwarding from zone2 --> zone1. Otherwise the forwarded traffic will be blocked.
Waring: Using an "accept" policy also means all connections from that zone to the _host_ are accepted.
Your other alternative is to use --direct rules.
On Tue, Mar 05, 2019 at 08:27:47AM -0500, Eric Garver wrote:
On Mon, Mar 04, 2019 at 10:44:19PM -0000, Eric Smith wrote:
I'm confused about services enabled in a zone because the docs suggest that it allows that service on destinations in the zone to be accessed from sources outside the zone, but then I've seen some places on blogs and forums that suggest that the enabled services for the zone affect outbound connections from sources in the zone. Is it controlling inbound, outbound, or both?
inbound. Firewalld does not have native support for OUTPUT filtering.
I have an http server in zone1, and I want to allow any source in zone2 to connect to it (but not vice versa). How do I do that? I tried setting a "rich rule" for zone1, but I couldn't figure out how to use zone2 as the source in a rule. Is that not possible?
What you're describing is forward filtering, which firewalld doesn't support.
If zone2 has an "accept" policy (see --set-target, or trusted zone), then it will allow forwarding from zone2 --> zone1. Otherwise the forwarded traffic will be blocked.
I wanted to clarify further, as it it's more complex than what I let on.
It's more like this:
1) At ingress/input zone (zone2 in your case) - if zone has a reject/drop policy, then packet is discarded - if zone has an accept policy, then packet is accepted - if zone has a default policy, goto step 2
2) At egress/output zone (zone1 in your case) - if zone has a reject/drop policy, then packet is discarded - if zone has an accept policy, then packet is accepted/forwarded - if zone has a default policy, then packet is discarded
So you have three options (in order of simplicity, but _NOT_ security):
1) give zone2 an accept policy 2) give zone2 a default policy, and zone1 an accept policy 3) use --direct rules to accept the forward traffic
FWIW, we realize this is far from ideal. There are plans for forward and output filtering, but it's a long ways off.
Waring: Using an "accept" policy also means all connections from that zone to the _host_ are accepted.
Your other alternative is to use --direct rules.
Thanks for the detailed clarifications. This helps a lot!
The firewalld paradigm is different than I'm used to, but that's not necessarily a bad thing as long as I understand what it's doing.
Per your suggestion, I may use --direct rules for now. I certainly look forward to the future enhancements.
Best regards, Eric
firewalld-users@lists.fedorahosted.org