Firewalld Adding Interfaces to a Zone Issue
Hi guys,
as always, thanks for helping with my issues.
I have been studying firewalld lately, here is an issue i have not been able to figure out.
- All interfaces by default are added to the default zone. In my case, the "public" zone is default.
- I have three interfaces ens32 ens33 and ens34, all assigned to the public zone.
- I removed ens34 from public zone
' firewal-cmd --permanent --zone=public --remove-interface=ens34'
success
- Now I add ens34 to the "internal' zone
' firewall-cmd --permanent --zone=internal --add-interface=ens34'
success
5 . Each time i reboot the server or i restart firewalld, ens34 gets assigned back to the "public " zone.
What I am doing wrong here?
Thanks All
Arrey
Responses
Red Hat
Guru
3315 points
Hi Arrey,
The zone is controlled by the ZONE=option parameter in the ifcfg files in the /etc/sysconfig/network-scripts/ directory. The firewalld.zones man page says: If the option is missing or empty, the default zone set in firewalld is used.
The parameters you used are only for interfaces for which no ifcfg file exists.
For NetworkManager controlled interfaces, the easiest way to (permanently) change the zone is to use the nm-connection-editor tool.
Red Hat
Guru
3315 points
Hi Arrey,
As James pointed out, you can also use nmcli or nmtui. For example, to change a zone with nmcli, you would call:
nmcli connection modify conn_name connection.zone zone_name
nmcli has a very handy auto-completion available, so you can just go on pressing Tab, and it will offer available commands and subcommands.
Guru
2241 points
Arrey--
If you are logged in from a system with an X Server and have $DISPLAY set, you can still use nm-connection-editor (and other GUI tools). The most obvious example would be running 'ssh -X' from a desktop or laptop with a full Linux GUI running.
If you need a text-only console option, both "nmtui" and "nmcli" should allow you to set or change most or all of the options that are controlled by "nm-connection-editor".
Hello
After some searching I found this has been reported before:
Bug 1112742 - firewall-cmd --permanent --change-interface=... should report an error
Man pages were updated recently firewalld bug fix and enhancement update
Pro
653 points
While the /etc/sysconfig/network-scripts/ifcfg-eth0 method has worked before, and still works most of the time, during a firewall-cmd --reload those might get ignored!
Therefore, it is advisable to use firewall-cmd and the firewalld-richlanguage to add/change interfaces to specific zones. This will write a record to /etc/firewalld/zones/public.xml, for example. The following would be the cmdline:
firewall-cmd --permanent --change-zone=eth0 --zone=public
It's equally important to note that the default zone gets ignored when using this method, and needs to be explicitly specified. This last point might need to be corroborated, though.
