Problems with firewalld

Issues related to configuring your network
Post Reply
skveen
Posts: 12
Joined: 2013/09/01 12:31:41

Problems with firewalld

Post by skveen » 2020/01/30 03:34:15

HEllo
everybody.

Previously, we used centos 6.10 to establish a site2site vpn connection with other devices, two subnets can access each other

However now after upgrading to 8.0.1905, centos_subnet cannot access the remote subnet IP.
If zone_internal is not set to target = ACCEPT, the remote subnet IP cannot access the centos_subnet resource(e.g. rdp,ms share, etc.), but can ping.


This rule doesn't seem to work:

Code: Select all

[root@m ~]# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
        <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 172.16.7.0/24 -j ACCEPT</rule>
        <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.1.96/27 -j ACCEPT</rule>
        <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule>
</direct>
Unless setting target =accept or stop the service of firewalld ,otherwise the remote subnet cannot access the centos_subnet resource:

Code: Select all

[root@m ~]# cat /etc/firewalld/zones/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Internal</short>
  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mdns"/>
  <service name="samba-client"/>
  <service name="cockpit"/>
</zone>

Code: Select all

[root@m ~]# cat /etc/firewalld/zones/external.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ipsec"/>
    <service name="ms-wbt"/>
  <rule family="ipv4">
    <source address="a.b.c.d"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <masquerade/>
  
If setting target=default on internal znone . how to do ?
and how to setting let local subnet access remote subnet ?
thanks.

User avatar
jlehtone
Posts: 2534
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Problems with firewalld

Post by jlehtone » 2020/01/30 08:01:40

skveen wrote:
2020/01/30 03:34:15
However now after upgrading to 8.0.1905
You should run update to get the 8.1.1911 packages; firewalld changes a bit too. The 8.0 has no support.
Update first.


You show xml-files. Have you written them by hand, or with firewall-cmd?
If by hand, then are you sure that the format is correct?

Note: Direct rules used to pass raw iptables rules to kernel. Kernel of 8 does not have iptables but nftables.
To see what is actually in kernel:

Code: Select all

nft list ruleset
although its subset

Code: Select all

nft list table inet firewalld
is more interesting.


I have a bad feeling that we see RHEL 5 all over again. RHEL 5 did apply same rule for both IN and FWD traffic.
The firewalld does generate separate rulesets, but we basically give one instruction that it uses for both IN and FWD (of a zone).

There are the rich and direct options, but the default zone config options are limited.


You have three interfaces? WAN, LAN, and VPN?
I would assign WAN to default 'external' zone and add "allow VPN connection". The VPN client/server listens to some port(s).
I would let LAN and VPN interfaces to stay in the default zone (which is 'public') and then add services to public.

If you cannot allow IN to this router what you have to through the tunnel, then add rich rules.


Note: The last rule in 'public' is:

Code: Select all

meta l4proto { icmp, ipv6-icmp } accept
while in 'trusted' it is:

Code: Select all

accept
Zone config does not mention the "allow icmp" directly:

Code: Select all

firewall-cmd --list-all-zones
There is rationale, why icmp is (almost) always allowed. There was era, when only some icmp types were allowed.

skveen
Posts: 12
Joined: 2013/09/01 12:31:41

Re: Problems with firewalld

Post by skveen » 2020/01/30 12:38:56

Thanks for reply
1905 is not support?
does 1905 is not tls?
https://wiki.centos.org/Download

I try to upgrade

I have two interfaces, it is lan and wan,and wan as connection port of vpn services.

User avatar
jlehtone
Posts: 2534
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Problems with firewalld

Post by jlehtone » 2020/01/30 15:51:19

That page is not up to date; text and some links are about 8.0, but the "mirrors" and "checksums" take you to 8.1.1911 content.

CentOS 8 is supported as long as RHEL 8, and base components of RHEL 8 have support for 10 years.
However, only the latest (point) release of CentOS 8 has any support and currently that is 8.1.
Red Hat does sell some support for 8.0 even after they have released 8.1, but CentOS does not pay,
so the latest is the only that it can support.

Ubuntu, Firefox, and NVidia are examples, where there are both short and LTS versions.

Fedora is short support version. RHEL and CentOS are LTS, but there is only one CentOS 8.


When I start openvpn, it creates its own interface, say "tun0".
If I "ssh remote", the routing rules on my host send the ssh-traffic out from the tun0 that openvpn did create.
(Presuming that address of "remote" is in the subnet that the vpn tunnel connects to.

The openvpn processes communicate via, say udp/1194, via the wan.
There will be two outgoing packets:
1. ssh sends something to tun0
2. openvpn sends something to wan
Replies are similar.

If I ssh to remote from another host in LAN:
1. openvpn's host receives packet via "lan" (from my PC)
2. destination is "remote", so packet is routed to tun0
3. FORWARD filtering decides whether this is allowed
4. packet leaves host from tun0
5. openvpn creates a packet for tunnel's other endpoint
6. that packet is routed to leave via wan
7. OUTPUT filter makes a decision
8. packet leaves via wan

It is possible that some other VPN implementation differs in details.


I did browse firewalld's upstream documentation: it is (still) not for routers.
If you want "a proper router ruleset", then you should create nft ruleset directly, without firewalld.

Post Reply

Return to “CentOS 8 - Networking Support”