Wise people learn when they can; fools learn when they must - Arthur Wellesley

Sunday, 22 July 2018

LINUX-30 FIREWALLD (RHEL7) -P3


                   LINUX-30 FIREWALLD (RHEL7) -P3


Other Posts under firewalld,

FIREWALLD (RHEL7) -P1
FIREWALLD (RHEL7) -P2
FIREWALLD (RHEL7) -P3

INTERFACES & FIREWALLD:

How to add an interface to a zone
How to change an interface from one zone to another
How to remove an interface from a zone
How to list interfaces assigned to a zone
How to List the zone to which an interface is assigned


Any connection needs an interface to pass, whenever any packet enters to firewalld enabled server it must be sorted based on defined zone. Sounds great, but if I use active interfaces to sort packets coming to/from an interface to flow in to a zone then it would be more convenient.

All active interfaces will be assigned to zones, either to the default zone or to a user-specified one. However, an interface cannot be assigned to more than one zone. In default scenario, firewalld club all active interfaces (ifconfig -a) with public zone


The firewalld_interface resource will add a network interface to a zone for the current and permanent configurations. The interface name is a string that should match a network interface on the system. If zone is omitted, default zone will be used.

Actions
Add: Add the interface to the current and permanent configuration.
Change: Change the interface to the current and permanent configuration. (default)
Remove: Remove the interface from the current and permanent configuration.

Let’s check my details, here default/active zone is “work”. Though the “work” is currently my default zone so all interfaces are by default assigned to my default zone which is “work” here.

[root@rhel7-server ~]#  firewall-cmd --get-default-zone
work

[root@rhel7-server ~]#  firewall-cmd --get-active-zones
work
  interfaces: eth0 eth1 eth2

Let’s check the “public” zone as well,

[root@rhel7-server ~]# firewall-cmd --zone=public --list-all
public
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 3000-4000/udp 80/tcp 3000-4000/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Let’s change the default zone and see the assignment of interfaces,

[root@rhel7-server ~]# firewall-cmd --set-default-zone=public
Success

[root@rhel7-server ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0 eth1 eth2
  sources:
  services: dhcpv6-client ssh
  ports: 3000-4000/udp 80/tcp 3000-4000/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@rhel7-server ~]#  firewall-cmd --get-default-zone
public

There are no more interfaces with zone “work” now,

[root@rhel7-server ~]# firewall-cmd --zone=work --list-all
work
  interfaces:
  sources:
  services: dhcpv6-client ftp ipp-client nfs ssh
  ports: 3306/tcp 80/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

We can see that interfaces are by default assigned to default zone.
Let’s try to remove interface from our default zone which is “public” now,

THIS EXERCISE IS TO ADD INTERFACE PERMANENTLY,

# firewall-cmd --remove-interface=eth2 --zone=public --permanent
success
[root@rhel7-server ~]# firewall-cmd --reload
success
[root@rhel7-server ~]# firewall-cmd --get-zone-of-interface=eth2
public

NO luck, its getting re-attached to “Public” zone automatically.
Let’s remove from public and add to another zone,

# firewall-cmd --remove-interface=eth2 --zone=public --permanent
success
# firewall-cmd --add-interface=eth2 --zone=work --permanent
success
[root@rhel7-server ~]# firewall-cmd --get-zone-of-interface=eth2
public
[root@rhel7-server ~]# firewall-cmd --reload
success
[root@rhel7-server ~]# firewall-cmd --get-zone-of-interface=eth2
public

Still no luck, but I really want to add my “eth2” to “work” zone.

WORKAROUND:

[root@rhel7-server ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth2
ZONE=work çç added this at end

Now again I did,

# firewall-cmd --remove-interface=eth2 --zone=public --permanent
success
# firewall-cmd --add-interface=eth2 --zone=work --permanent
success
[root@rhel7-server ~]# firewall-cmd --get-zone-of-interface=eth2
public

still, no changes……    let’s reload and see

[root@rhel7-server ~]# firewall-cmd --reload
success
[root@rhel7-server ~]# firewall-cmd --get-zone-of-interface=eth2
public

Still, same situation…… Now let’s restart the network,

[root@rhel7-server ~]# systemctl restart network
[root@rhel7-server ~]# firewall-cmd --get-zone-of-interface=eth2
work

Ohhhhh…… Finally,

If we want to add/change/remove interfaces temporarily then just remove the --permanent tag from above commands and do not reload.

Note: Zone change for network interfaces is for the current session only. To permanently change zone of an interface, we need to edit network-interface file

ZONE=<zone name>

So, what we learned,

How to add an interface to a zone

# firewall-cmd --add-interface=eth1 --zone=work

How to change an interface from one zone to another

# firewall-cmd --change-interface=eth1 --zone=work

How to remove an interface from a zone

# firewall-cmd --remove-interface=eth2 --zone=public

How to list interfaces assigned to a zone

# firewall-cmd --zone=work --list-all

How to List the zone to which an interface is assigned

# firewall-cmd --get-zone-of-interface=eth2

**if need to add/remove/change permanently then add "--permanent" at end without quotes.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)