I have a server running CentOS/RHEL 7.7 with two network interfaces. These interfaces are configured and work properly. The first interface, ens33, is part of the firewalld "public" zone. All the rules applied to this zone work properly. The second interface, ens37, also works as expected when a member of the "public" zone. I've created a second zone, "GLZ", which has a set of rules specific to the function of the second interface. I am unable to get any rules from the GLZ zone to take effect on this interface. I've configured this type of setup using iptables many times in the past but cannot seem to get the desired effect with firewalld. I feel like I must be missing something fundamental with firewalld but I don't know what it might be. Below are the specifics:
Setup script:
NEWZONE="GLZ"
# create the new zone
firewall-cmd --permanent --new-zone=$NEWZONE
firewall-cmd --reload
# add the second NIC to the zone
firewall-cmd --permanent --zone=$NEWZONE --change-interface=ens37
# set zone target
firewall-cmd --zone=$NEWZONE --permanent --set-target=default
firewall-cmd --reload
# open necessary ports
firewall-cmd --permanent --zone=$NEWZONE --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 port protocol=tcp port=80 accept'
firewall-cmd --permanent --zone=$NEWZONE --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 port protocol=tcp port=443 accept'
# setup forwarding (see https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Configure_Port_Forwarding-CLI.html)
firewall-cmd --permanent --zone=$NEWZONE --add-masquerade
firewall-cmd --permanent --zone=$NEWZONE --add-forward-port=port=22:proto=tcp:toport=2222
firewall-cmd --reload
This appears to look fine based on the output of --info-zone. Both zones are active and the appropriate network interface is assigned to each zone. Any changes I make the public zone affect traffic on both interfaces and none of the rules I add or remove from the GLZ zone make any difference at all.
Output:
$ sudo firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.0/8" port port="3306" protocol="tcp" accept
rule family="ipv4" source address="10.0.0.0/8" port port="80" protocol="tcp" accept
rule family="ipv4" source address="10.0.0.0/8" port port="443" protocol="tcp" accept
rule family="ipv4" source address="10.0.0.0/8" port port="8080" protocol="tcp" accept
$ sudo firewall-cmd --info-zone=GLZ
GLZ (active)
target: default
icmp-block-inversion: no
interfaces: ens37
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=2222:toaddr=
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="0.0.0.0/0" port port="80" protocol="tcp" accept
rule family="ipv4" source address="0.0.0.0/0" port port="443" protocol="tcp" accept
