I need some help/guidance with firewalld and I can't seem to get an account set up on the Fedora site where it appears that the main newsgroup for supporting firewalld is being hosted. (at least according to my Google research) I am getting requests from small businesses, homeowners, and me myself and I to find a solution for handling modern day internet of things "IOT" (devices that connect to the internet) thingies that range from security cameras to robot vacuum cleaners to fit bit wrist monitors etc... To handle all these wonderful thingy dingys I thought the best approach would be to relegate them to their own subnet and manage them at a firewall. That way I thought I could monitor and if necessary keep ET from phoning home and sending data to parties unknown (i.e security cameras with firmware made in China for example, and yeah call me paranoid if it helps). AND I can keep these thingies from bogging down my other networks of computers doing "real" work and keeping them secured from these widgets as well. Towards this goal I am setting up a second wireless/wired network to be used by these devices and connecting it to a second NIC interface on one of my computers. I then created a firewalld "zone" for that interface. And yeah I will also set up a dhcpd (and assign static IP addresses based on MAC addresses) and even a DNS server for these thingies to use, if necessary. Before I ask how to do what I want with firewalld, perhaps I should express what I think the firewalld model of an interface is, because I have found a lot of inconsistencies in articles on the internet that try to explain things. I think when talking about incoming or outgoing connections I will use the host computer that firewalld is running on as the reference point (and not the network in which the host and it's interface is part of). So incoming means packets coming in to the host, through an interface, from some external network. Outgoing means packets that are passing through an interface, from the host to some other computer on an external network. Please excuse my wordiness but I need to make an effort to be sure I am communicating clearly. What I first want to be able to do is to be able to execute a command that blocks all incoming traffic originating from devices within this second network zone, regardless of whether those messages are trying to connect to some service on firewalld's host itself or whether those messages want to be passed on by the host to some other server on some other network. I also want to block all outgoing traffic going to devices on this second network. While in this state I want to be able to monitor/log any attempts, and traffic content, by devices on this network to initiate communication, so I can determine who/what is trying to "phone home" and where it is trying to reach. I don't expect firewalld to have such a builtin command, I expect to have to write a script, but I need to know how to put firewalld in such a state for a particular interface. Next I want to be able to configure firewalld so that it allows incoming requests from hosts on this second network, and to allow connections to services running on firewalld's host as well as allowing those connection requests to be passed on to external networks. But I still want to block all outgoing traffic through this second interface, that may be returning to devices on this secondary network. And I still want to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state. Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any traffic from any network to be passed through the interface to this secondary network, unless that traffic originated on the localhost itself that the firewalld daemon is running on. Perhaps being able to add/allow specific hosts would also be helpful as not all services are necessarily provided on the local firewalld host that I want to monitor. Conceptually it seems like a firewall should have the capability to effectively turn an interface completely off, disallowing ALL incoming and/or outgoing traffic through an interface regardless of whether it is intended for some service on the host itself or for some other host on some other network, while at the same time logging or allowing an administrator to monitor what is happening at that interface. I can't seem to get a straight answer on how to get firewalld to do these things so I suspect it may not be possible or perhaps not intended. It is certainly possible to use firewalld to control incoming connections to services that are running on the host itself, and it is possible to control/route specific types of incoming connections to specific other hosts/nets. So it appears that firewalld is more oriented towards regulating incoming connection requests, to the host (and network(s)) firewalld is running on/has direct control over, and could care less about traffic that wants to pass through the host and become an outgoing connection via some other interface. I suspect that firewalld, by default, just passes those requests on to whatever gateway IP address or routing rules, via some interface, that is defined by it's host system network configuration tools. At least I should say I have not been able to figure out how to make firewalld care about all these other connections from the man pages for firewall-cmd. I suspect I am going to have to create some "rich rules" or "direct rules" for firewalld that augment iptables but I don't have much experience or understanding of iptables though like most software engineers I can learn (or ask for help from some kind guru). Seems like this should be easy/intuitive so perhaps I am overlooking the obvious? My goal is to be able to establish better control over some of these insecure devices and to insert my own tools to interface with these devices, for example an Apache web server that will want to make a connection to security cameras on this subnet (tex zoneminder is a good example of where I am headed here) to serve out an image stream after proper authorization. I might want to open a particular port to a particular IP address at a particular time using cron, add filters to prevent things like traceroute being executed by some IOT thingy (yep I saw that happen!) or use something like a port knocker to open ports at will if/when I want to access one of these IOT thingies from the internet... If for another example I see something like a security camera trying to send large amounts of data to some unexpected location I definitely want to put a stop to it fast! I am aware of the fact that some of this may provoke a discussion about controversial topics, and a one size solution is not going to be the answer to everything. A Fitbit should be able to contact it's cloud from home, but a business may want to ban it... yada yada yada... So please I am not looking to start such discussions. Since I am running most of my systems under OpenSuSE (most are 15.0, but some are 42.3 and even one business is running 42 .1) I thought I would throw my question out here while trying to get an account on Fedora so I can ask questions on their firewalld support group. Any SuSE firewalld gurus here or anyone who has traveled down this path? Would love to hear suggestions, insights, or comments cuz right now I seem to be stuck... Thanks in advance... Marc.. (P.S. I will say that the one thing that the man pages for firewall-cmd makes crystal clear REPEATEDLY is that if you don't specify a zone for a firewall-cmd command that "If the zone is omitted the default zone will be used."!! You got NO excuse if you should ever forget that little bit of a trinket! LOL) -- --... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org