Hi.
I have a little trouble with firewalld. I'm trying to open some ports for monitoring server, but it's in the same network as "home" zone:
Monitored host (192.168.111.60):
lukasz @ strategie 17:52:19 ~ $ -> sudo firewall-cmd --get-active home sources: 192.168.111.0/24 (open ports 22, 80, 443) monitoring sources: 192.168.111.19 (open ports: 5666) public interfaces: ens18 (no open ports)
---------------------------------------------------
Monitoring host (192.168.111.19):
lukasz @ potemkin 17:57:25 ~ $ -> telnet strategie.ping.local 5666 Trying 192.168.111.60... telnet: connect to address 192.168.111.60: No route to host
lukasz @ potemkin 17:57:26 ~ $ -> telnet strategie.ping.local 80 Trying 192.168.111.60... Connected to strategie.ping.local. Escape character is '^]'. ^] telnet> Connection closed.
---------------------------------------------------
I think there are conflicting rules on a monitored host, that: - prevent access to 5666 from 192.168.111.0/24, - give access to 5666 from 192.168.111.19 and packets from potemkin are routed trough a home zone.
I really would like to have dedicated "monitor" zone. Is there a way to give "monitor" zone more priority, than "home"? I may end with OpenVPN on potemkin and use 172.30.25.0/24 for monitoring, but, apart from encryption aspect, it seems a little excessive.
Thank You.
On Mon, Feb 08, 2021 at 06:19:07PM +0100, Łukasz Posadowski wrote:
Hi.
I have a little trouble with firewalld. I'm trying to open some ports for monitoring server, but it's in the same network as "home" zone:
Monitored host (192.168.111.60):
lukasz @ strategie 17:52:19 ~ $ -> sudo firewall-cmd --get-active home sources: 192.168.111.0/24 (open ports 22, 80, 443) monitoring sources: 192.168.111.19 (open ports: 5666) public interfaces: ens18 (no open ports)
Monitoring host (192.168.111.19):
lukasz @ potemkin 17:57:25 ~ $ -> telnet strategie.ping.local 5666 Trying 192.168.111.60... telnet: connect to address 192.168.111.60: No route to host
lukasz @ potemkin 17:57:26 ~ $ -> telnet strategie.ping.local 80 Trying 192.168.111.60... Connected to strategie.ping.local. Escape character is '^]'. ^] telnet> Connection closed.
I think there are conflicting rules on a monitored host, that:
- prevent access to 5666 from 192.168.111.0/24,
- give access to 5666 from 192.168.111.19
and packets from potemkin are routed trough a home zone.
I really would like to have dedicated "monitor" zone. Is there a way to give "monitor" zone more priority, than "home"? I may end with OpenVPN on potemkin and use 172.30.25.0/24 for monitoring, but, apart from encryption aspect, it seems a little excessive.
You can do it with rich rules, which have a priority. Basically, if you set priority to < 0, it goes into a _pre table which gets evaluated before the other zones:
Blog about it: https://firewalld.org/2018/12/rich-rule-priorities
Unfortunately, this was introduced in firewalld v0.7.0 which isn't in CentOS 7. I'm not sure if the functionality has been backported, but the firewalld.richlanguage man page on my c7 system doesn't mention it. It should work on CentOS 8+.
Another solution is to set a direct rule, which is evaluated first.
Lastly, its my experience that firewalld evaluates the configuration of zones lexically, so if the monitoring zone happens to sort (LANG=C) before the other zone, it'll be evaluated first. Don't trust that this behavior will always be the case.
W dniu pon, 08.02.2021 o godzinie 15∶30 -0500, użytkownik Jonathan Billings napisał:
On Mon, Feb 08, 2021 at 06:19:07PM +0100, Łukasz Posadowski wrote:
Hi.
I have a little trouble with firewalld. I'm trying to open some ports for monitoring server, but it's in the same network as "home" zone:
Monitored host (192.168.111.60):
lukasz @ strategie 17:52:19 ~ $ -> sudo firewall-cmd --get-active home sources: 192.168.111.0/24 (open ports 22, 80, 443) monitoring sources: 192.168.111.19 (open ports: 5666) public interfaces: ens18 (no open ports)
Monitoring host (192.168.111.19):
lukasz @ potemkin 17:57:25 ~ $ -> telnet strategie.ping.local 5666 Trying 192.168.111.60... telnet: connect to address 192.168.111.60: No route to host
lukasz @ potemkin 17:57:26 ~ $ -> telnet strategie.ping.local 80 Trying 192.168.111.60... Connected to strategie.ping.local. Escape character is '^]'. ^] telnet> Connection closed.
I think there are conflicting rules on a monitored host, that:
- prevent access to 5666 from 192.168.111.0/24,
- give access to 5666 from 192.168.111.19
and packets from potemkin are routed trough a home zone.
I really would like to have dedicated "monitor" zone. Is there a way to give "monitor" zone more priority, than "home"? I may end with OpenVPN on potemkin and use 172.30.25.0/24 for monitoring, but, apart from encryption aspect, it seems a little excessive.
You can do it with rich rules, which have a priority. Basically, if you set priority to < 0, it goes into a _pre table which gets evaluated before the other zones:
Blog about it: https://firewalld.org/2018/12/rich-rule-priorities
Unfortunately, this was introduced in firewalld v0.7.0 which isn't in CentOS 7. I'm not sure if the functionality has been backported, but the firewalld.richlanguage man page on my c7 system doesn't mention it. It should work on CentOS 8+.
Another solution is to set a direct rule, which is evaluated first.
Lastly, its my experience that firewalld evaluates the configuration of zones lexically, so if the monitoring zone happens to sort (LANG=C) before the other zone, it'll be evaluated first. Don't trust that this behavior will always be the case.
I'm with Centos 8 (and fedora), so it should work. Thank You, I'll try with rich rules.