Hi
We are looking at firewalld just now for deployment in our environment.
One situation we have is that the Ethernet wired interface is set to simply DHCP. This is used by users on our network and on public network. Obviously we'd like to allow more ports open on our network than on a public network. Our network would be zone "internal" and if not our network would be zone "public", I'd guess.
The option of setting up two different wired setups won't work as users cannot be relied on to switch to a public setting when off internal network.
Is there any way we can get firewalld to detect which type of network it's on. This is probably analogous, I guess, to the way the windows firewall has a "Domain networks" zone (which they auto detect). Or a way we can give firewalld a helper script that can tell it which network it's on. Or something else we haven't thought of...
At the moment we tackle this with using a custom NM dispatcher script that detects our internal network (by doing an operations against internal KDC's) and loading the correct firewall into iptables based on this testing. So maybe this is the way, if firewalld is happy to allow us, can we or should we force a zone from a dispatcher.d NM script to switch to the correct zone.
A similar issue is we have a commercial VPN solution that doesn't work through Network Manager, can we force a change to the zone (it can be made to execute a script on connection) when the VPN comes up (the VPN changes routing so all traffic goes via the VPN interface).
How do others tackle this?
Thanks
Colin
________________________________
This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
Hello,
On 02/22/2013 07:42 PM, Colin Simpson wrote:
Hi
We are looking at firewalld just now for deployment in our environment.
One situation we have is that the Ethernet wired interface is set to simply DHCP. This is used by users on our network and on public network. Obviously we'd like to allow more ports open on our network than on a public network. Our network would be zone "internal" and if not our network would be zone "public", I'd guess.
The option of setting up two different wired setups won't work as users cannot be relied on to switch to a public setting when off internal network.
Is there any way we can get firewalld to detect which type of network it's on. This is probably analogous, I guess, to the way the windows firewall has a "Domain networks" zone (which they auto detect). Or a way we can give firewalld a helper script that can tell it which network it's on. Or something else we haven't thought of...
Not this is currently not possible. The zone that is used is set in the ifcfg file or NM configuration. I already talked to Dan Williams about this. I have added him as CC.
At the moment we tackle this with using a custom NM dispatcher script that detects our internal network (by doing an operations against internal KDC's) and loading the correct firewall into iptables based on this testing. So maybe this is the way, if firewalld is happy to allow us, can we or should we force a zone from a dispatcher.d NM script to switch to the correct zone.
I did not try to do that, yet. It should be possible to force a zone also in a dispatcher script with the firewall-cmd command line tool for example:
firewall-cmd --zone=<zone> --change-interface=<interface>
A similar issue is we have a commercial VPN solution that doesn't work through Network Manager, can we force a change to the zone (it can be made to execute a script on connection) when the VPN comes up (the VPN changes routing so all traffic goes via the VPN interface).
See command line above.
How do others tackle this?
I do not know, there are no more requests or questions like this up to now.
Thanks
Colin
Thanks, Thomas
Thanks for getting back.
Interesting that no one has asked. I'd have thought a pretty common scenario in a corporate setting, wired ethernet purely set to DHCP (802.1X on wired ethernet is far from widely deployed) so could be on a secure or insecure network. I wonder if your SSSD/FreeIPA guys would have an opinion?
Thanks again
Colin
On Wed, 2013-03-06 at 15:12 +0100, Thomas Woerner wrote:
Hello,
On 02/22/2013 07:42 PM, Colin Simpson wrote:
Hi
We are looking at firewalld just now for deployment in our environment.
One situation we have is that the Ethernet wired interface is set to simply DHCP. This is used by users on our network and on public network. Obviously we'd like to allow more ports open on our network than on a public network. Our network would be zone "internal" and if not our network would be zone "public", I'd guess.
The option of setting up two different wired setups won't work as users cannot be relied on to switch to a public setting when off internal network.
Is there any way we can get firewalld to detect which type of network it's on. This is probably analogous, I guess, to the way the windows firewall has a "Domain networks" zone (which they auto detect). Or a way we can give firewalld a helper script that can tell it which network it's on. Or something else we haven't thought of...
Not this is currently not possible. The zone that is used is set in the ifcfg file or NM configuration. I already talked to Dan Williams about this. I have added him as CC.
At the moment we tackle this with using a custom NM dispatcher script that detects our internal network (by doing an operations against internal KDC's) and loading the correct firewall into iptables based on this testing. So maybe this is the way, if firewalld is happy to allow us, can we or should we force a zone from a dispatcher.d NM script to switch to the correct zone.
I did not try to do that, yet. It should be possible to force a zone also in a dispatcher script with the firewall-cmd command line tool for example:
firewall-cmd --zone=<zone> --change-interface=<interface>
A similar issue is we have a commercial VPN solution that doesn't work through Network Manager, can we force a change to the zone (it can be made to execute a script on connection) when the VPN comes up (the VPN changes routing so all traffic goes via the VPN interface).
See command line above.
How do others tackle this?
I do not know, there are no more requests or questions like this up to now.
Thanks
Colin
Thanks, Thomas
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
________________________________
This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
firewalld-users@lists.stg.fedorahosted.org
-
Colin Simpson -
Thomas Woerner