On Mon, 2019-08-26 at 11:45 +0200, Mathias Homann wrote:
I put it on my blog: https://www.tuxonline.tech/an-introduction-to-firewalld/
Thank you. Here come a few remarks.
"A zone in firewalld is a “group” of services"
That's a strange definition. I'd rather define it as a group of *interfaces* that share a certain trust level. The official documentation says "A firewall zone defines the trust level for a connection, interface or source address binding."( https://firewalld.org/documentation/zone/). One thing worth mentioning about zones is that commands normally affect packets *originating* from a given zone (i.e. "--zone=A --add- service=http" allows incoming HTTP traffic from zone "A"). But there's one important exception: the --add-masquerade command (and the "masquerade" rich rule) affects *outgoing* packets for the given zone. I for one didn't realize that immediately, and I found it hard to write a rule saying "masquerade packets going to zone B, but only if they originate from zone A". (*) About your configuration example: rather then using --permanent and finish with "firewall-cmd --reload", I'd prefer applying new rules to the current state (without --permanent), test, and finish with "firewall-cmd --runtime-to-permanent". It's mostly a matter of taste, but it may be easier for beginners because effects of new rules can be examined immediately. Also, there are typos ("--add=service=https") in your example. Rich rules and direct rules: this is where the fun begins, and where the upstream docs are also somewhat sparse. At least I found it non- obvious how to construct new rich rules. So I'd appreciate more information in that section :-) I guess many would appreciate a cheat sheet for "how do I <X> with firewalld", where <X> is something that used to be done with SuSEfirewall2. Regards Martin (*) In case you wonder: the solution that worked for me was adding a rich rule rule family="ipv4" source address="192.168.X.Y/24" masquerade to the rule set of zone "B", where the above address was associated with an interface in zone "A". I did not find a way to express this in terms of zones exclusively.