On Thu, Mar 24, 2016 at 09:18:16PM +0000, James Hogarth wrote:
Thanks, James, that looks pretty good. I'll look into it and probably
give it a try.
Fred
> On 24 March 2016 at 18:01, Fred Smith <fredex@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> > Hi all!
> >
> > I'n wondering if it is possible to have Centos-7 automatically change
> > firewall zones, depending on the network we conect to.
> >
> > my default zone is "home" and it has some ports open that probably
> > shouldn't be open when I'm on someone elose's network.
> >
> > so I'm thinking that if there's a way to have it always use home when
> > I'm at home, and external when I'm not, it would be great.
> >
> > I see that firewall-cmd has a ton of options, but not sure which one(s)
> > I'd need for switching. (I see one for setting default zone, but I didn't
> > see one for setting current zone--maybe I'm blind).
> >
> > I'm also not at all sure how to invoke it at a proper time,... perhaps
> > some udev rules?
> >
> >
> > anyone got any wisdom they can drop on me?
> >
> >
> The default zones are poorly named and should never have been included -
> especially given most of them aren't in use on any given system.
>
> For a look into how to make use of firewalld take a look at this:
>
> https://www.hogarthuk.com/?q=node/9
>
> The best way to handle the scenario you describe would be multiple NM
> connection profiles (don't have it set to auto) so that you can set
> connection.zone correctly on each for the right network profile.
>
> Then when you nmcli c up work (or home or whatever) to bring up that
> connection profile it'll come up in the right zone.
>
> This manual nmcli c up is only needed if these are ethernet profiles as
> there's no link between subnet and connection profile
>
> If these are WiFi connections NM already has different connection profiles
> and picks one to match the SSID - so you could set the right
> connection.zone in that.
>
> The NM article goes into some details on connection profiles
>
> https://www.hogarthuk.com/?q=node/8
>
> Alternatively if you know the subnets that will be connecting to you at
> work and home you could set your default profile to reject and create zones
> with appropriate incoming rules bound to the source subnets contacting your
> system.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
--
---- Fred Smith -- fredex@xxxxxxxxxxxxxxxxxxxxxx -----------------------------
God made him who had no sin
to be sin for us, so that in him
we might become the righteousness of God."
--------------------------- Corinthians 5:21 ---------------------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
