Firewalld - host in dual role (server/router) - firewalld won't route traffic

Support for security such as Firewalls and securing linux
Post Reply
aeonjeffj
Posts: 4
Joined: 2015/04/02 22:50:31

Firewalld - host in dual role (server/router) - firewalld won't route traffic

Post by aeonjeffj » 2020/11/08 22:38:02

Greetings,

I have a C8.2 host acting as both server (SMB, dhcp, http) and router between networks. All networks are private, no NAT needed. With firewalld turned off I can easy route traffic between networks (ssh, http, etc). With firewalld on no traffic will route.I have net.ipv4.ip_forward=1 set in /etc/sysctl.d/99-sysctl.conf. Without firewalld running traffic routes fine between eno1 and eno2.

Network block diagram:

Code: Select all

[host1:192.168.0.2]----[net1:192.168.0.0/24]-----[(eno1:192.168.0.254/24) C8.2server (eno2:10.0.0.1/24)]-------[net2:10.0.0.0/24]-----[host2:10.0.0.2]
Firewalld: (running in nft mode)
internal (active)
target: default
icmp-block-inversion: no
interfaces: eno1 eno2
sources:
services: cockpit dhcp dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos ldap ldaps mdns ntp rsyncd samba samba-client ssh tftp
ports: 53/tcp 88/udp 464/udp 53/udp 123/udp 138/udp 139/udp 389/udp 445/udp 135/tcp 138/tcp 139/tcp 445/tcp 3268/tcp 1024-1300/tcp 8081/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


Adding the below results in failed routing:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno1 -o eno2 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno2 -o eno1 -j ACCEPT

I have also tried the following, which also fails:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno1 -o eno2 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno2 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT

I didn't use "permanent" because I'm trying to find what works...which so far is nothing. I don't need NAT because I'm all private and there's a main gateway elsewhere that does NAT for all traffic heading out.

What is the secret to getting routing to work?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld - host in dual role (server/router) - firewalld won't route traffic

Post by jlehtone » 2020/11/08 23:53:24

https://access.redhat.com/documentation ... networking writes:
44.2. When to use firewalld, nftables, or iptables

The following is a brief overview in which scenario you should use one of the following utilities:
  • firewalld: Use the firewalld utility to configure a firewall on workstations. The utility is easy to use and covers the typical use cases for this scenario.
  • nftables: Use the nftables utility to set up complex firewalls, such as for a whole network.
  • iptables: The iptables utility is deprecated in Red Hat Enterprise Linux 8. Use instead nftables.
While firewalld can route, that is (IMHO) opposite of "easy to use".

What I would do (have done), is dump current ruleset with

Code: Select all

sudo nft list ruleset
then edit and store it for nftables.service and get rid of firewalld.service.

Some nftables examples: https://wiki.gentoo.org/wiki/Nftables/Examples

aeonjeffj
Posts: 4
Joined: 2015/04/02 22:50:31

Re: Firewalld - host in dual role (server/router) - firewalld won't route traffic

Post by aeonjeffj » 2020/11/09 16:49:44

What I would do (have done), is dump current ruleset with

Code: Select all

sudo nft list ruleset
then edit and store it for nftables.service and get rid of firewalld.service.
Holy frijoles... The way firewalld creates tables for every zone the output from "nft list ruleset" is a hot mess.

This function worked fine in iptables back in the CentOS 6 days, to have a firewalled machine for its own services while freely routing traffic. This seems /*to me*/ to be broken. The firewall even interferes with routed traffic that it allows to itself (ssh for example). I can ssh to the C8.2 server from host1 and I can ssh to C8.2 from host2 but I cannot ssh from host1 to host2...

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld - host in dual role (server/router) - firewalld won't route traffic

Post by jlehtone » 2020/11/09 18:10:20

aeonjeffj wrote:
2020/11/09 16:49:44
Holy frijoles... The way firewalld creates tables for every zone the output from "nft list ruleset" is a hot mess.
Yes. On CentOS 7 firewalld creates at least as long list with iptables. Firewalld is "easy to use" in a "PC", where you don't route and don't have more than one NIC.

TrevorH here has words about firewalld. :roll:

Then again, remembering my iptables rules for CentOS 5, I sense a "Hold my beer" moment.


Ho, ho, ho, I found an upstream page https://firewalld.org/2020/09/policy-ob ... troduction that writes:
With some exceptions (e.g. masquerade, forward-ports) firewalld was previously limited to being an end-station firewall. This meant you could not use it to filter traffic flowing between virtual machines, containers, and zones.
The fabulous Policy Objects appear in 0.9.0. RHEL 8.3 did rebase firewalld to 0.8.2, so we won't be "harassed" with policies in foreseeable future.


One can get the 'iptables' to CentOS 8, but it is a mere wrapper for 'nft'.
One thing that running iptables does is that it creates tables for the nftables rules that the wrapper generates.
That is why running 'iptables -S' shows no rules.
Firewalld has 'direct' (passthrough?) rules that take iptables and therefore use the wrapper.
Hence those empty tables due to firewalld even though you have no direct rules.

While nfatbles does not need to have any chains in any tables, unlike netfilter that has the builtin chains, basic NAT (masquerade) requires prerouting chain

Code: Select all

	chain prerouting {
		type nat hook prerouting priority 0; policy accept;
	}
I have not looked for the rationale, but I presume that existence of that chain enables something that handling of the replies requires.

Apart from such peculiarities, you can wipe most of the ruleset out.

... unless ... (upstream) firewalld states that NetworkManager, libvirt, podman, docker (iptables backend only), and fail2ban can talk to it. Those nasty creatures like to add rules to ruleset. With plain nftables.service -- without iptables and firewalld -- some of these might require additional consideration.

Post Reply