Hi,
I'm running a CentOS 8.5 on a server with 4 network interfaces. My was to build a network bridge with a firewalling ability.
First of all I put all 3 Nics (only 3, the first is used for administration) into a bridge device:
[root@br01 ~]# nmcli connection
NAME UUID TYPE DEVICE
enp3s0f0 014598e7-7ccc-47d6-97e9-8a39871f2550 ethernet enp3s0f0
br0 567f1e9e-73b6-4332-8a79-317edb142b0e bridge br0
br0 c5220ea5-1fe3-44ca-89c1-737b0d70f9eb ethernet enp3s0f1
br0 2d9f24cc-b85f-48b6-b8d6-80f7fbd88656 ethernet enp4s0f0
br0 e5d3801d-2a45-43e7-b6d0-37949d157949 ethernet enp4s0f1
and the bridge works great.
But then I tried to configure the firewall. I want to rule the outgoing traffic of the last two interfaces enp4s0f0 and enp4s0f1 because interface enp3s0f1is for the traffic from the net, on the other two nics are servers.
I find out that I can't work it out with the normal firewall-cmd zone concept.
So I set up some direct-rules:
[root@br01 ~]# firewall-cmd --direct --get-all-rules
ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ipv4 filter OUTPUT 1 -o enp4s0f0 -p tcp --dport 3389 -s 192.168.3.225 -j ACCEPT
ipv4 filter OUTPUT 2 -o enp4s0f0 -s 192.168.3.59 -j ACCEPT
ipv4 filter OUTPUT 3 -o enp4s0f0 -s 192.168.3.16 -j ACCEPT
ipv4 filter OUTPUT 4 -o enp4s0f0 -s 192.168.1.6 -j ACCEPT
ipv4 filter OUTPUT 11 -o enp4s0f0 -s 192.168.3.63 -j ACCEPT
ipv4 filter OUTPUT 12 -o enp4s0f0 -s 192.168.1.10 -j ACCEPT
ipv4 filter OUTPUT 13 -o enp4s0f0 -s 192.168.1.21 -j ACCEPT
ipv4 filter OUTPUT 15 -o enp4s0f0 -s 192.168.3.10 -j ACCEPT
ipv4 filter OUTPUT 16 -o enp4s0f0 -j DROP
for testing pupose only for the interface enp4s0f0.
But, it looks like they are not getting used, all traffic is still going out of interface enp4s0f0.
What am I doing wrong ?
the interface is still part of public:
[root@br01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: br0 enp3s0f0 enp3s0f1 enp4s0f0 enp4s0f1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
should I transfer it into a different zone ? And if yes, in which ? And when I do so, will I lose all incoming traffic for this interface ?
Any suggestions are welcome !
Best regards
fatcharly
bridge with firewall
Re: bridge with firewall
Don't know what your problem is, but I'm sure you know that CentOS 8 is EOL?
Take a look at one of the RHEL rebuilds/clones like Rocky, Alma, Springdale, OEL, etc.
Take a look at one of the RHEL rebuilds/clones like Rocky, Alma, Springdale, OEL, etc.
Re: bridge with firewall
CentOS Linux 8.5 died 2021-12-31. You should sidegrade to RHEL/Alma/Rocky/Oracle/etc or migrate to CentOS Stream, etc.
FirewallD got ability to filter routed traffic only in the 8.5 update. Red Hat recommends nftables.service for complex systems.
Bridge is a switch -- there is no routed traffic. The tale of support for filtering bridged traffic is long and the
current status is that you have to explicitly load a kernel module to get that support. I can't remember the
name of module, but system logs probably mention it, since default sysctl config attempts to disable that
filter (which is moot without loading the module) and that generates a warning.
FirewallD got ability to filter routed traffic only in the 8.5 update. Red Hat recommends nftables.service for complex systems.
Bridge is a switch -- there is no routed traffic. The tale of support for filtering bridged traffic is long and the
current status is that you have to explicitly load a kernel module to get that support. I can't remember the
name of module, but system logs probably mention it, since default sysctl config attempts to disable that
filter (which is moot without loading the module) and that generates a warning.