firewall-cmd and NetworkManager
It appears firewall-cmd is not properly working with NetworkManager in RHEL7
If I run a command like
firewall-cmd --permanent --zone=external --change-interface=enp8s0
even though it says success (and even if I --complete-reload) when I do a --list-all-zones it still shows the interface attached to the public zone. I restart firewalld and still it does not move even though the files in /etc/firewalld clearly show the enp8s0 interface in the external zone and not the public zone.
I finally added ZONE=external to /etc/sysconfig/network-interfaces/ifcfg-enp8s0 and then restarted NetworkManager and firewalld and it finally moved.
I finally see buried deep in the documentation https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html where it mentions this problem, but I don't think this is clear enough. And it should not be the case. It should be simple for firewall-cmd to signal NetworkManager if it is running to do the right thing. Or at least not report success. Lots of automation tools (aka puppet) are just going to have a terrible time with this otherwise.
Responses
Hello, I agree this lack of co-ordination between NetworkManager and firewalld is a sub-optimal experience. I have discussed this with the firewalld developer in the past. I will check with him later to day and raise a bug if necessary and report back here.
BTW, you have typo in your URL, missing dash in "en-US" . I remember the devs also updated the manual pages to draw attention to the fact that firewall-cmd cannot permanently change a zone if the interface is managed by NetworkManager.
Hello, I spoke to the firewalld developer. This issue is being worked on and you can add yourself to this bug to get updated on progress Bug 1066037 - firewall-config should allow unspecifying zone binding for interface.
Thank you.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
