Firewalld – Same Source In Different Zones

Home » CentOS » Firewalld – Same Source In Different Zones
CentOS 2 Comments

Hi.

I have a little trouble with firewalld. I’m trying to open some ports for monitoring server, but it’s in the same network as “home” zone:

Monitored host (192.168.111.60):

lukasz @ strategie 17:52:19 ~ $
-> sudo firewall-cmd –get-active home
sources: 192.168.111.0/24
(open ports 22, 80, 443)
monitoring
sources: 192.168.111.19
(open ports: 5666)
public
interfaces: ens18
(no open ports)

—————————————————

Monitoring host (192.168.111.19):

lukasz @ potemkin 17:57:25 ~ $
-> telnet strategie.ping.local 5666
Trying 192.168.111.60… telnet: connect to address 192.168.111.60: No route to host

lukasz @ potemkin 17:57:26 ~ $
-> telnet strategie.ping.local 80
Trying 192.168.111.60… Connected to strategie.ping.local. Escape character is ‘^]’.
^]
telnet> Connection closed.

—————————————————

I think there are conflicting rules on a monitored host, that:
– prevent access to 5666 from 192.168.111.0/24,
– give access to 5666 from 192.168.111.19
and packets from potemkin are routed trough a home zone.

I really would like to have dedicated “monitor” zone. Is there a way to give “monitor” zone more priority, than “home”? I may end with OpenVPN
on potemkin and use 172.30.25.0/24 for monitoring, but, apart from encryption aspect, it seems a little excessive.

Thank You.


Łukasz Posadowski

2 thoughts on - Firewalld – Same Source In Different Zones

  • You can do it with rich rules, which have a priority. Basically, if you set priority to < 0, it goes into a _pre table which gets evaluated before the other zones: Blog about it: https://firewalld.org/2018/12/rich-rule-priorities

    Unfortunately, this was introduced in firewalld v0.7.0 which isn’t in CentOS 7. I’m not sure if the functionality has been backported, but the firewalld.richlanguage man page on my c7 system doesn’t mention it. It should work on CentOS 8+.

    Another solution is to set a direct rule, which is evaluated first.

    Lastly, its my experience that firewalld evaluates the configuration of zones lexically, so if the monitoring zone happens to sort (LANG=C)
    before the other zone, it’ll be evaluated first. Don’t trust that this behavior will always be the case.


    Jonathan Billings

  • W dniu pon, 08.02.2021 o godzinie 15∶30 -0500, użytkownik Jonathan Billings napisał:

    I’m with CentOS 8 (and fedora), so it should work. Thank You, I’ll try with rich rules.


    Łukasz Posadowski