Firewalld AllowZoneDrifting message.

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Firewalld AllowZoneDrifting message.

Post by hack3rcon » 2020/08/12 17:44:28

Hello,
Is my Firewalld configuration wrong?

Code: Select all

# cat /var/log/firewalld
2020-06-26 15:59:13 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-06-26 16:05:01 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-06-26 16:14:34 WARNING: NOT_ENABLED: 'echo-request' not in 'public'
2020-06-26 16:14:34 WARNING: NOT_ENABLED: 'echo-reply' not in 'public'
2020-06-26 16:14:34 WARNING: NOT_ENABLED: 'timestamp-reply' not in 'public'
2020-06-26 16:14:34 WARNING: NOT_ENABLED: 'timestamp-request' not in 'public'
2020-06-26 16:15:30 WARNING: NOT_ENABLED: echo-request
2020-06-26 16:15:45 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-06-26 16:16:03 WARNING: NOT_ENABLED: echo-reply
2020-06-26 16:16:09 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-06-26 16:17:10 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-07-01 13:34:47 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-07-18 18:05:10 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-08-01 17:55:55 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2020-08-01 18:08:27 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Thanks.

User avatar
KernelOops
Posts: 322
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Firewalld AllowZoneDrifting message.

Post by KernelOops » 2020/08/12 19:25:10

There is nothing wrong, its a message to remind you about zone drifting getting removed in the future. You may ignore it at the moment.

Zone drifting is how firewalld always worked in the past (CentOS 7 and CentOS 8.0 and I think 8.1), it was force disabled at some point, which caused A LOT of broken firewalls, then redhat realised their mistake and brought the previous way back as the default. That option is there to prepare you for the future when zone drifting will be removed.
--
I love my computer - all my friends live there.
--

User avatar
jlehtone
Posts: 3044
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld AllowZoneDrifting message.

Post by jlehtone » 2020/08/12 19:35:31

That option is described in https://firewalld.org/2020/01/allowzonedrifting

RHEL explicitly enables the option to keep firewalld behaving like it did before,
but urges (with that warning message) the user to act.

You should know whether your firewall setup depends on the drifting.
If it does, then update your zones so that dependency is no more.
Then you can change to "no".

hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Re: Firewalld AllowZoneDrifting message.

Post by hack3rcon » 2020/08/16 09:12:07

My configuration is:

Code: Select all

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Is it enough for a web server?

Post Reply

Return to “CentOS 8 - Security Support”