Apologies if this has already been asked (I couldn't see anything in the archives). I'm a bit new to firewalld and I'm trying to convert some of my machines to use the new model. I've not found any technical problems yet but I'm struggling to get a configuration that's tidy and maintainable.
I do have a couple of questions though...
Is there a reason why overlapping zones are unsupported? E.g. I'd quite like to be able to do is to use zones to represent groups of services (so zone1 might be "machines that need SSH access", and zone2 might be "machines that need mysql and postgresql access", and some machines might be in one or both zones). Once you get beyond a couple of combinations of service it ends up being a mess of rich rules that I'd quite like to avoid.
What would be really nice is a way to specify that once processing a zone is complete, another matching zone might be able to process the connection (e.g. to have the entry in the INPUT_ZONES_SOURCE chain designated with "-j" instead of "-g").
At the moment, the zones appear to be processed in sort order (zone "A" is processed before zone "B" etc) - is that a documented behavior (I can't see anything that says that it is) or is this something that may change in the future?
Thanks!
Steve.
Hello Steve
On 11/09/2015 06:16 PM, Bennett, Steve wrote:
Apologies if this has already been asked (I couldn’t see anything in the archives). I’m a bit new to firewalld and I’m trying to convert some of my machines to use the new model. I’ve not found any technical problems yet but I’m struggling to get a configuration that’s tidy and maintainable.
I do have a couple of questions though…
Is there a reason why overlapping zones are unsupported? E.g. I’d quite like to be able to do is to use zones to represent groups of services (so zone1 might be “machines that need SSH access”, and zone2 might be “machines that need mysql and postgresql access”, and some machines might be in one or both zones). Once you get beyond a couple of combinations of service it ends up being a mess of rich rules that I’d quite like to avoid.
There are no overlapping zones to make zones and their behavior predictable. The use of more than one zone per connection/interface/source could get unpredictable and complex, if for example NAT is used in one or more zones with masquerading or port forwarding.
I am working on IPset support for firewalld right now. IPsets can be used in a zone to allow access to services within rich rules for example or also to bind zones to. Maybe this might help you?
Creating a group of services that could easily be enabled or disabled is not supported by firewalld.
What would be really nice is a way to specify that once processing a zone is complete, another matching zone might be able to process the connection (e.g. to have the entry in the INPUT_ZONES_SOURCE chain designated with “-j” instead of “-g”).
At the moment, the zones appear to be processed in sort order (zone “A” is processed before zone “B” etc) – is that a documented behavior (I can’t see anything that says that it is) or is this something that may change in the future?
Zones are generated as soon as they are used. This is then the order of the processing of the zones. But as there is no overlap between zones normally, the order of the zones should not have a big impact on processing within the firewall.
Thanks!
Steve.
Regards, Thomas
firewalld-users@lists.stg.fedorahosted.org