bridge with firewall

Issues related to configuring your network
Post Reply
fatcharly@gmx.de
Posts: 18
Joined: 2018/08/22 16:20:16

bridge with firewall

Post by fatcharly@gmx.de » 2022/03/14 17:30:45

Hi,

I'm running a CentOS 8.5 on a server with 4 network interfaces. My was to build a network bridge with a firewalling ability.
First of all I put all 3 Nics (only 3, the first is used for administration) into a bridge device:

[root@br01 ~]# nmcli connection
NAME UUID TYPE DEVICE
enp3s0f0 014598e7-7ccc-47d6-97e9-8a39871f2550 ethernet enp3s0f0
br0 567f1e9e-73b6-4332-8a79-317edb142b0e bridge br0
br0 c5220ea5-1fe3-44ca-89c1-737b0d70f9eb ethernet enp3s0f1
br0 2d9f24cc-b85f-48b6-b8d6-80f7fbd88656 ethernet enp4s0f0
br0 e5d3801d-2a45-43e7-b6d0-37949d157949 ethernet enp4s0f1

and the bridge works great.
But then I tried to configure the firewall. I want to rule the outgoing traffic of the last two interfaces enp4s0f0 and enp4s0f1 because interface enp3s0f1is for the traffic from the net, on the other two nics are servers.
I find out that I can't work it out with the normal firewall-cmd zone concept.
So I set up some direct-rules:

[root@br01 ~]# firewall-cmd --direct --get-all-rules
ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ipv4 filter OUTPUT 1 -o enp4s0f0 -p tcp --dport 3389 -s 192.168.3.225 -j ACCEPT
ipv4 filter OUTPUT 2 -o enp4s0f0 -s 192.168.3.59 -j ACCEPT
ipv4 filter OUTPUT 3 -o enp4s0f0 -s 192.168.3.16 -j ACCEPT
ipv4 filter OUTPUT 4 -o enp4s0f0 -s 192.168.1.6 -j ACCEPT
ipv4 filter OUTPUT 11 -o enp4s0f0 -s 192.168.3.63 -j ACCEPT
ipv4 filter OUTPUT 12 -o enp4s0f0 -s 192.168.1.10 -j ACCEPT
ipv4 filter OUTPUT 13 -o enp4s0f0 -s 192.168.1.21 -j ACCEPT
ipv4 filter OUTPUT 15 -o enp4s0f0 -s 192.168.3.10 -j ACCEPT
ipv4 filter OUTPUT 16 -o enp4s0f0 -j DROP

for testing pupose only for the interface enp4s0f0.
But, it looks like they are not getting used, all traffic is still going out of interface enp4s0f0.

What am I doing wrong ?

the interface is still part of public:

[root@br01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: br0 enp3s0f0 enp3s0f1 enp4s0f0 enp4s0f1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

should I transfer it into a different zone ? And if yes, in which ? And when I do so, will I lose all incoming traffic for this interface ?

Any suggestions are welcome !

Best regards

fatcharly

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: bridge with firewall

Post by tunk » 2022/03/14 17:43:02

Don't know what your problem is, but I'm sure you know that CentOS 8 is EOL?
Take a look at one of the RHEL rebuilds/clones like Rocky, Alma, Springdale, OEL, etc.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: bridge with firewall

Post by jlehtone » 2022/03/14 17:56:52

CentOS Linux 8.5 died 2021-12-31. You should sidegrade to RHEL/Alma/Rocky/Oracle/etc or migrate to CentOS Stream, etc.

FirewallD got ability to filter routed traffic only in the 8.5 update. Red Hat recommends nftables.service for complex systems.

Bridge is a switch -- there is no routed traffic. The tale of support for filtering bridged traffic is long and the
current status is that you have to explicitly load a kernel module to get that support. I can't remember the
name of module, but system logs probably mention it, since default sysctl config attempts to disable that
filter (which is moot without loading the module) and that generates a warning.

Post Reply