Re: firewalld - same source in different zones

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



W dniu pon, 08.02.2021 o godzinie 15∶30 -0500, użytkownik Jonathan
Billings napisał:
> On Mon, Feb 08, 2021 at 06:19:07PM +0100, Łukasz Posadowski wrote:
> > 
> > 
> > Hi.
> > 
> > I have a little trouble with firewalld. I'm trying to open some
> > ports
> > for monitoring server, but it's in the same network as "home" zone:
> > 
> > Monitored host (192.168.111.60):
> > 
> > lukasz @ strategie 17:52:19  ~ $ 
> >   ->  sudo firewall-cmd --get-active
> > home
> >   sources: 192.168.111.0/24
> >   (open ports 22, 80, 443)
> > monitoring
> >   sources: 192.168.111.19
> >   (open ports: 5666)
> > public
> >   interfaces: ens18
> >   (no open ports)
> > 
> > ---------------------------------------------------
> > 
> > Monitoring host (192.168.111.19):
> > 
> > lukasz @ potemkin 17:57:25  ~ $ 
> >   ->  telnet strategie.ping.local 5666
> > Trying 192.168.111.60...
> > telnet: connect to address 192.168.111.60: No route to host
> > 
> > lukasz @ potemkin 17:57:26  ~ $ 
> >   ->  telnet strategie.ping.local 80
> > Trying 192.168.111.60...
> > Connected to strategie.ping.local.
> > Escape character is '^]'.
> > ^]
> > telnet> Connection closed.
> > 
> > ---------------------------------------------------
> > 
> > I think there are conflicting rules on a monitored host, that:
> > - prevent access to 5666 from 192.168.111.0/24,
> > - give access to 5666 from 192.168.111.19
> > and packets from potemkin are routed trough a home zone.
> > 
> > I really would like to have dedicated "monitor" zone. Is there a
> > way to
> > give "monitor" zone more priority, than "home"? I may end with
> > OpenVPN
> > on potemkin and use 172.30.25.0/24 for monitoring, but, apart from
> > encryption aspect, it seems a little excessive.
> 
> You can do it with rich rules, which have a priority.  Basically, if
> you set priority to < 0, it goes into a _pre table which gets
> evaluated before the other zones:
> 
> Blog about it:
> https://firewalld.org/2018/12/rich-rule-priorities
> 
> Unfortunately, this was introduced in firewalld v0.7.0 which isn't in
> CentOS 7.  I'm not sure if the functionality has been backported, but
> the firewalld.richlanguage man page on my c7 system doesn't mention
> it.  It should work on CentOS 8+.
> 
> Another solution is to set a direct rule, which is evaluated first.
> 
> Lastly, its my experience that firewalld evaluates the configuration
> of zones lexically, so if the monitoring zone happens to sort
> (LANG=C)
> before the other zone, it'll be evaluated first.  Don't trust that
> this behavior will always be the case.
> 

I'm with Centos 8 (and fedora), so it should work. Thank You, I'll try
with rich rules.

-- 
Łukasz Posadowski


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux