New Fedora Core 19 system refuses to forward port from external to internal zone, no logging data found.
The Scenario is simply that I've got a system that serves as a firewall / gateway, has an internal and external interface, and had a disk drive failure and the disk was replaced along with a new version of the OS - FC19. I have the old iptables script, and neither it nor firewallD work correctly. I have tried two sets of hardware and they return slightly different behaviors!
Along the way, some things partially worked and unfortunately, I trusted the new firewalld and kept going. Now I'm a little lost.
The MOST important question is: How can I debug this sucker? NOTHING has worked in that regard (at least for firewalld)? I want it to log rejected attempts to use ports so I can figure out how to fix it...
To do that, I used the rich-rules syntax, like this:
firewall-cmd --permanent --zone=external --add-rich-rule='rule family="ipv4" forward-port port="25" protocol="tcp" to-port="25" to-addr="192.168.1.1" log="smtp forward" level="info"'
It doesn't work and I suspect it's because the three actions are accept, reject, and drop
, and the port-forward is implicitly an accept directive, so it would only log when packets are accepted, and not when they aren't. But how to set this up is unknown!
Some observations:
I may be having difficulty because of the naming of the interfaces. It would be nice to have firewalld tell me what it thinks the interfaces should be rather than me guess. I get one name from ifconfig, and another from route, and at least on one system, yet another name is used on the default /etc/sysconfig/network-scripts/ifcfg-xxx scripts. QUESTION: Where do the canonical names to use with firewall-cmd come from?
At one point I had (briefly) port forwarding working. BUT it was for the "public" zone. At one point I would have sworn I got it working on the "external" zone, but as I have gotten more methodical and ultra-careful with what-=all I've tried, I haven't gotten it to work again with 'external.'
NONE of the internal systems hare blocking the ports on their own internal firewall software.
I have read all of the articles I could find on firewalld on the internet and all / question/answer entries on serverfault. I am well aware that some people advocate using iptables until firewalld matures a bit more, but the iptables rules I'd like to have running on the system are non-trivial in themselves - which is a key motivator to finding a way to be successful with firewalld.
If I do try iptables as the way forward for now, I also need to know the canonical manes for it, too...