W dniu pon, 08.02.2021 o godzinie 15∶30 -0500, użytkownik Jonathan
Billings napisał:
> On Mon, Feb 08, 2021 at 06:19:07PM +0100, Łukasz Posadowski wrote:
> >
> >
> > Hi.
> >
> > I have a little trouble with firewalld. I'm trying to open some
> > ports
> > for monitoring server, but it's in the same network as "home" zone:
> >
> > Monitored host (192.168.111.60):
> >
> > lukasz @ strategie 17:52:19 ~ $
> > -> sudo firewall-cmd --get-active
> > home
> > sources: 192.168.111.0/24
> > (open ports 22, 80, 443)
> > monitoring
> > sources: 192.168.111.19
> > (open ports: 5666)
> > public
> > interfaces: ens18
> > (no open ports)
> >
> > ---------------------------------------------------
> >
> > Monitoring host (192.168.111.19):
> >
> > lukasz @ potemkin 17:57:25 ~ $
> > -> telnet strategie.ping.local 5666
> > Trying 192.168.111.60...
> > telnet: connect to address 192.168.111.60: No route to host
> >
> > lukasz @ potemkin 17:57:26 ~ $
> > -> telnet strategie.ping.local 80
> > Trying 192.168.111.60...
> > Connected to strategie.ping.local.
> > Escape character is '^]'.
> > ^]
> > telnet> Connection closed.
> >
> > ---------------------------------------------------
> >
> > I think there are conflicting rules on a monitored host, that:
> > - prevent access to 5666 from 192.168.111.0/24,
> > - give access to 5666 from 192.168.111.19
> > and packets from potemkin are routed trough a home zone.
> >
> > I really would like to have dedicated "monitor" zone. Is there a
> > way to
> > give "monitor" zone more priority, than "home"? I may end with
> > OpenVPN
> > on potemkin and use 172.30.25.0/24 for monitoring, but, apart from
> > encryption aspect, it seems a little excessive.
>
> You can do it with rich rules, which have a priority. Basically, if
> you set priority to < 0, it goes into a _pre table which gets
> evaluated before the other zones:
>
> Blog about it:
> https://firewalld.org/2018/12/rich-rule-priorities
>
> Unfortunately, this was introduced in firewalld v0.7.0 which isn't in
> CentOS 7. I'm not sure if the functionality has been backported, but
> the firewalld.richlanguage man page on my c7 system doesn't mention
> it. It should work on CentOS 8+.
>
> Another solution is to set a direct rule, which is evaluated first.
>
> Lastly, its my experience that firewalld evaluates the configuration
> of zones lexically, so if the monitoring zone happens to sort
> (LANG=C)
> before the other zone, it'll be evaluated first. Don't trust that
> this behavior will always be the case.
>
I'm with Centos 8 (and fedora), so it should work. Thank You, I'll try
with rich rules.
--
Łukasz Posadowski
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
