Is there any priority for firewalld "zones" ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (All Versions).
  • Firewalld.

Issue

  • Is there any order in which firewalld check rules between "zones" ?
  • Is there any priority for firewalld zones ?
  • Getting error while setting zone priority "Can't use --zone with policy only options".

Resolution

  • Upstream firewalld has this feature available via commit:
commit cb1d47611131eed9afe2e4489d27b6da4b9fab6f
Author: Eric Garver <eric@garver.life>
Date:   Fri Mar 17 14:46:15 2023 -0400

    feat(zone): add support for priority

    This adds support for specifying an ingress and egress priority for
    zones. This allows customizing the order in which traffic is classified
    into zones.

    A zone with a lower priority value (higher precedence) will always be
    considered before a zone with a higher priority value (lower
    precedence). This is very similar to priority as used in policies and
    rich rules.

    Classification is essentially a sorted pair of (ingress priority, egress
    priority). When priority is the same classification is sorted by
    existing behavior, e.g. source based before interface based.

More details on this feature is discussed in upstream.

We have raised an RFE to implement zone ordering, and can be expected in next RHEL major release (may be RHEL 10).

Root Cause

From: https://bugzilla.redhat.com/show_bug.cgi?id=2130288#c8

This feature requires firewalld v2.0.0 or later. A major version bump of the package is not appropriate for RHEL-9.

Fedora 39 contains firewalld v2.0.0. Therefore, this feature will be in the next major RHEL release via Fedora inheritance.

Diagnostic Steps

From a fedora38 system:

# rpm -qa |grep firewalld
firewalld-filesystem-1.3.1-1.fc38.noarch
firewalld-1.3.1-1.fc38.noarch

# firewall-cmd --permanent --zone internal --set-priority 100
usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page
Can't use --zone with policy only options.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments