[CentOS] firewalld question
James Hogarth
james.hogarth at gmail.com
Thu Mar 24 21:18:16 UTC 2016
On 24 March 2016 at 18:01, Fred Smith <fredex at fcshome.stoneham.ma.us> wrote:
> Hi all!
>
> I'n wondering if it is possible to have Centos-7 automatically change
> firewall zones, depending on the network we conect to.
>
> my default zone is "home" and it has some ports open that probably
> shouldn't be open when I'm on someone elose's network.
>
> so I'm thinking that if there's a way to have it always use home when
> I'm at home, and external when I'm not, it would be great.
>
> I see that firewall-cmd has a ton of options, but not sure which one(s)
> I'd need for switching. (I see one for setting default zone, but I didn't
> see one for setting current zone--maybe I'm blind).
>
> I'm also not at all sure how to invoke it at a proper time,... perhaps
> some udev rules?
>
>
> anyone got any wisdom they can drop on me?
>
>
The default zones are poorly named and should never have been included -
especially given most of them aren't in use on any given system.
For a look into how to make use of firewalld take a look at this:
https://www.hogarthuk.com/?q=node/9
The best way to handle the scenario you describe would be multiple NM
connection profiles (don't have it set to auto) so that you can set
connection.zone correctly on each for the right network profile.
Then when you nmcli c up work (or home or whatever) to bring up that
connection profile it'll come up in the right zone.
This manual nmcli c up is only needed if these are ethernet profiles as
there's no link between subnet and connection profile
If these are WiFi connections NM already has different connection profiles
and picks one to match the SSID - so you could set the right
connection.zone in that.
The NM article goes into some details on connection profiles
https://www.hogarthuk.com/?q=node/8
Alternatively if you know the subnets that will be connecting to you at
work and home you could set your default profile to reject and create zones
with appropriate incoming rules bound to the source subnets contacting your
system.
More information about the CentOS
mailing list