0

I'm trying to setup firewalld for the first time. I have two types of rules I'd like to add:

  • Rules which only allow traffic on specific ports with certain sources.
  • Rules which allow ALL traffic from specific sources.

So lets say I create a new zone called "myZone". I want to allow ALL traffic from 10.95.0.0/16, but only LDAP related traffic from 10.96.59.23.

So I add the sources to "myZone":

firewall-cmd --permanent --zone=myZone --add-source=10.95.0.0/16
firewall-cmd --permanent --zone=myZone --add-source=10.96.59.23

Now its time to add the LDAP port which I want to allow traffic on:

firewall-cmd --zone=myZone --add-port=389/tcp

However, what will this do exactly? I imagine this is being applied for all sources in "myZone"? I want to restrict 10.96.59.23 to LDAP traffic only, but allow ANY traffic for 10.95.0.0/16. I have a feeling I'm missing something fundamental here.

Theoretically I thought I could create two zones, lets say "workstationZone" and "ldapZone". I can then assign port 389 to "ldapZone". However, I can't seem to get multiple zones assigned to a single interface.

# firewall-cmd --zone workstationZone --add-interface ens32 --permanent
success
# firewall-cmd --zone ldapZone --add-interface ens32 --permanent
success
#firewall-cmd --get-active-zones
workstationZone
  interfaces: ens32
  sources: 10.95.0.0/16
ldapZone
  sources: 10.96.59.23

I was hoping in the above that my "ens32" interface would be added to both zones.

Another option I see is using "rich rules", however there seems to be a lot of recommendations to avoid using them due to them being difficult to maintain.

Again, I feel like I'm missing something totally fundamental, but even after reading a couple guides, I'm just not getting it. If anyone can help set me straight, it would be much appreciated.

azurepancake
  • 31
  • 1
  • 6

1 Answers1

1

If the traffic to be allowed differs between sources/interfaces, you should create new zones. A zone defines a set of allowed traffic, and then applies it to the specified interfaces and/or source networks.

For instance, you can have a zone which allows all traffic (there already is by default; it's called trusted), another zone which allows LDAP traffic, and another zone which allows some other set of services.

Note that an interface or source can only be in one zone, so you should assign each of them to a zone and the traffic that zone allows will apply to that interface or source. This may mean you need to create another zone, but this is perfectly fine.

Remember, you should not use --permanent until you are satisfied the rules work. Otherwise you could lock yourself out with a typo and require booting into a rescue environment to recover. Instead, add your rules and once you are satisfied they all work, use firewall-cmd --runtime-to-permanent to save them. (And if you lock yourself out with a typo, restarting firewalld or the computer will revert all your unsaved changes.)

Also, save yourself some typing. The word Zone in the name of the zone is redundant.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Apologies if I'm still misunderstanding. This system only has one network interface named "ens32". If I'm understanding your much appreciated advice, this means I need to create a single zone (since an interface can only be in one zone) which encompasses all of the policy which I require. If that is the case, how do I apply ports to specific IP addresses or subnets, rather than the entire zone? For example, I want the LDAP server to be allowed to talk LDAP to me, but not other systems. – azurepancake Sep 01 '20 at 21:21
  • 1
    @azurepancake A zone with a source network will override a zone with an interface. So you can define zones to allow certain traffic from specific source networks, and a zone to allow certain traffic coming in on the interface which isn't in any of those networks. – Michael Hampton Sep 01 '20 at 21:22