We have a customized hack of an old firewall-2.4-stronger script we've
been using and hacking more features into for years, and I'd still be
using it if Fedora hadn't moved to systemd. I can't seem to get it to
run /after/ the interfaces are all up so it can determine their IPs as
assigned by dhclient. And dhclient won't run the script with its
up-hooks, either. Maybe there's a way to get that to work, but if I'm
going to be reworking this anyway, I thought I may as well move to The
New Firewall System.
And now I can't figure out how to do all our little tricks in FirewallD.
Maybe I'm missing something, maybe it's just not documented, or maybe
it just doesn't work that way. Hopefully you can tell me if there's a
way to do all these things or I should go back to the
systemd/dhclient/iptables puzzle.
There are four interfaces. They used to be eth0-eth3, but
NetworkManager has new names for them now. I'll just call them by their
meanings/zones: External, Internal, DMZ, and Printers.
- No traffic of any sort is allowed between Internal and DMZ or between
Printers and External.
- Internal and DMZ can both print to and receive status replies from
Printers and access the internet through External.
- There is a long list of Internal-> External exceptions, blocked IPs
that cannot be accessed by some or all Internal IPs, mostly social media
sites that are not work-related. This is predominantly http, but the
destination and source addresses are the more relevant part.
- DMZ->External doesn't discriminate against IPs, but cannot make any
outgoing connections on port 25 or any of a list of known file sharing
service ports, and other ports may need to be shut down from time to time.
- It would be nice if things like outgoing passive-mode FTP could be
toggled for DMZ, but that's an enhancement, not a requirement.
- Many specific External incoming ports are forwarded to various
Internal addresses. Often on different ports than they came in on.
Sometimes PPTP and incoming FTP. both passive and active, are required.
- ICMP, portscan, and syn-flood limiting on all interfaces with
different limits.
So... can FirewallD do all that, or something functionally equivalent?
If so, how? If not, will it be able to in the near future?
--
-Dave Noelle, dave(a)Straylight.org