1

I have a server in a datacenter that serves as an IPA master and VPN server. For simplicity, assume I need to enable the "ipsec" service for VPN, and the "kerberos" service for IPA.

I would like to: 1) Allow traffic from anywhere to access the ipsec ports. 2) Only allow traffic from the private IP space to access the kerberos ports.

This seems easy enough; add a source IP space to the "work" zone, open up "kerberos" in the "work" zone, open up "ipsec" in the "public" zone. However, my interface "eth0" is only attached to the "public" zone. It seems like an interface is only meant to apply to a single zone.

So I have two questions. First, is what I would like to do reasonable? Second, what is the correct usage pattern to accomplish my goals with firewalld? As an example, I know I could accomplish my goals with rich rules, but this sounds like something that should be done using zones.

ToBeReplaced
  • 109
  • 1
  • 5

1 Answers1

0

Believe me, zone is less used than the firewalld developer originally thought. They want to copy the security zone concept from Windows, which is useful on laptops when switching between wifi in office vs. in cafeteria.

Basically servers do not have such needs except for the NAT router with one netcard for the outside the other for the inside. However a virtual server usually has only one interface on a cloud who's server would do the NAT for it with a public ip you rent. The public ip is attached to the cloud server and the client would not need to do the two netcards configuration on virtual server. In addition to this, you have got an firewall on cloud that could be easily manipulated on its website. So now you have double firewalls - one on cloud and one in your virtual server.

So you can do the ip specific port opening on the cloud firewall, on the virtual server firewall, or both. Here is one example of setting the virtual server firewall to accept tcp port 5555 only from net 192.168.0.0/16 : 

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" \
source address="192.168.0.0/16" port port="5555" protocol="tcp" accept'

service firewalld restart
George Y
  • 380
  • 2
  • 11