What is the behavior of firewalld when using multiple zones ?
Issue
- How does
firewalld
handle the use of multiple zones ? - First we have bound the only interface we have (eth0) to zone 'public'. This zones only allows services
dhcpv6-client
andssh
. - Secondly we have created a new zone
example
and bound a source (xxx.xxx.xxx.xxx
) to this zone. This zones only allows port5308/tcp
. - As expected for zone
public
: hosts with another ip as 'xxx.xxx.xxx.xxx' where able to usessh
, but not port5308
on this host. As expected for zoneexample
: host with ipxxx.xxx.xxx.xxx
was able to use port5308
on this host. - NOT AS EXPECTED: host with ip
xxx.xxx.xxx.xxx
was able to usessh
on this host as well. This is not as expected because this zone does not allowssh
. It looks like zoneexample
is expected because of source ipxxx.xxx.xxx.xxx
, but because there is no match for servicessh (port 22/tcp)
it falls back to the zone with is binded to the used interface (eth0): zonepublic
. And because this zone acceptsssh
, it is allowed. If I remove service 'ssh' from the zone public, host with ipxxx.xxx.xxx.xxx
also no longer is allowed to use servicessh
. - QUESTION, is this 'works as designed': if the service is not found in the zone for which the source is bound (in this case 'cfengine'), it falls backup to the zone the interface is bound (in this case 'public'). Or is this a bug?
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8.
firewalld.service
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.