Re: Trying to open ports in firewalld

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2016-02-25 at 11:48 +0000, Timothy Murphy wrote:
> After changing the default zone to "internal" everything works fine.
>  
> But I don't understand the reasoning behind this.
> This use of the term "zone" seems to me misleading and bizarre.
> I run shorewall on my home server, and there the "zone"
> can be "net", "local", etc.

Security zones can be considered thus:

You have a gateway machine that connects directly to the internet, and
it is the link between the WWW and your LAN.  Since it straddles both
sides, it would have an external set of rules and an internal set of
rules.  The external rules apply to the traffic between it and the WWW,
the internal rules apply to the traffic between it and your LAN.  The
external rules would, usually, be more stringent than the internal ones.
Both rules sets are always in action.

You have another computer that is inside your LAN, you'd set up an
internal rule set for this.  Or you could use some other name for it,
it's just a name for a set of rules that makes sense to you.  You could
call it LAN.

You have a laptop that sometimes is inside your LAN, sometimes you take
it to public networks.  You may have two sets of rules, a *home* set for
where you trust the rest of your network, and an *away* set where you do
not trust anything.  Only one set of rules are used at a time, so you
can set one as the default, but change it when needed.

What kind of differences might there be between external and internal
rules?  You might all NFS or SMB inside, but block it externally.
Likewise for other services.  You may block some things internally, you
might block nothing internally.

-- 
tim@localhost ~]$ uname -rsvp

Linux 3.19.8-100.fc20.i686 #1 SMP Tue May 12 17:42:35 UTC 2015 i686

All mail to my mailbox is automatically deleted, there is no point trying
to privately email me, I will only read messages posted to the public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux