[CentOS] firewalld question

James Hogarth james.hogarth at gmail.com
Fri Mar 25 19:04:54 UTC 2016


On 25 March 2016 at 16:31, Matthew Miller <mattdm at mattdm.org> wrote:

> On Fri, Mar 25, 2016 at 11:26:17AM +0000, Timothy Murphy wrote:
> > >> I'n wondering if it is possible to have Centos-7 automatically change
> > >> firewall zones, depending on the network we conect to.
> > > The way to do this is changing the zone for the network in
> > > NetworkManager.
> > Are there two different ways of setting firewalld zones,
> > in firewalld and in NetworkManager?
> > Which is taken if they differ?
>
> They can't differ — the configuration is stored in the ifcfg files, no
> matter how you set it.
>
>
>
In this instance you're incorrect Matthew.

If an interface is associated with a zone via firewalld then this config is
in /etc/firewalld/zones/<zonename>.xml with an interface element in the xml
there.

If NM has connection.zone modified to point to something this then would go
into /etc/sysconfig/network-scripts/ifcfg-* (as ZONE=)

And as a quick test the NM value overrides the firewalld one.

To verify this in a VM, assuming an interface name of eth0, do the
following:

== Make the firewalld change ==
firewall-cmd --change-interface=eth0 --zone=work
firewall-cmd --runtime-to-permanent

== Verify the config ==
firewall-cmd --get-active-zones
cat /etc/firewalld/zones/work.xml

** At this point the config all points to eth0 in work and verification
confirms this **

== Make the NM change ==
nmcli c mod "System eth0" connection.zone home

== Verify the config ==
firewall-cmd --get-active-zones
cat /etc/sysconfig/network-scripts/ifcfg-eth0
cat /etc/firewalld/zones/work.xml

** At this point the firewalld config points to eth0 in work but the NM
config points to home and verification confirms this different config but
home in use **

== Note the persistence ==
reboot
firewall-cmd --get-active-zones
cat /etc/sysconfig/network-scripts/ifcfg-eth0
cat /etc/firewalld/zones/work.xml

** The same stituation pre reboot appears **

I assume this is the case as NM explicitly puts an interface into a zone as
part of the connection profile coming up. I haven;t monitored dbus to see
if firewalld brings it up on one and NM changes it or not... easy for
someone else to test though ;)

> I find the firewalld definition of "zones" rather confusing.
> > I run shorewall on my home server, and that seems to me
> > to have a much simpler definition of zones.
>
> Think of "zone" as "set of presets".
>

It's a really horrible UX issue frankly, I've seen it confuse many people
at this point. This is made worse by the Fedora products creating their own
zones and defaulting to those with EL7 using the firewalld upstream default
of Public, which the name itself is confusing  when it doesn't really
relate to anything Public but is just a name.

I've seen people assume work or home are detected by subnets or local net
only for instance - when again it's just labels for the larger part,

Upstream firewalld has been reluctant to change this though from what I've
seen and you can't even remove the default zones nicely to get a clearer
view of things.



More information about the CentOS mailing list