Greetings, One of my biggest frustrations with CentOS 7 has been firewalld. Essentially all of the documentation just flat doesn't work. One common thing that needs to be done is to change the zone of an interface, however I've tried: firewall-cmd --permanent --zone=internal --change-interface=ens192 firewall-cmd --permanent --zone=internal --add-interface=ens192 I've also tried setting in /etc/sysconfig/network-scripts/ifcfg-ens192: ZONE=internal ZONE="internal" No matter what, when firewalld starts, ens192 will be in the public zone. What am I doing wrong? Why does the documented command structure not work? -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - ----------------------------------------------- This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
On 11/6/2015 1:31 PM, Nick Bright wrote:> One of my biggest frustrations with CentOS 7 has been firewalld. > > Essentially all of the documentation just flat doesn't work. > > One common thing that needs to be done is to change the zone of an > interface, however I've tried: > > firewall-cmd --permanent --zone=internal --change-interface=ens192 > firewall-cmd --permanent --zone=internal --add-interface=ens192 > > I've also tried setting in /etc/sysconfig/network-scripts/ifcfg-ens192: > > ZONE=internal > ZONE="internal" > > No matter what, when firewalld starts, ens192 will be in the public zone. > > What am I doing wrong? Why does the documented command structure not > work?I haven't messed with firewalld yet, so the following is purely conjecture... does firewall-cmd --get-zones list this "internal" zone ? if not, you may need to create it first, firewall-cmd --permanent --new-zone=internal firewall-cmd --reload THEN assign your interface to it, firewall-cmd --permanent --zone=internal --change-interface=ens192 -- john r pierce, recycling bits in santa cruz
On Nov 6, 2015 3:31 PM, "Nick Bright" <nick.bright at valnet.net> wrote:> > Greetings, > > One of my biggest frustrations with CentOS 7 has been firewalld. > > Essentially all of the documentation just flat doesn't work. > > One common thing that needs to be done is to change the zone of aninterface, however I've tried:> > firewall-cmd --permanent --zone=internal --change-interface=ens192 > firewall-cmd --permanent --zone=internal --add-interface=ens192 > > I've also tried setting in /etc/sysconfig/network-scripts/ifcfg-ens192: > > ZONE=internal > ZONE="internal" > > No matter what, when firewalld starts, ens192 will be in the public zone. > > What am I doing wrong? Why does the documented command structure not work? > > -- > ----------------------------------------------- > - Nick Bright -Firewalld does physical interfaces, NetworkManager has profiles on top of them. NM can specify a zone and communicate it to firewalld - which should work from your ifcfg edit - but the reverse currently doesn't happen. Try with nmcli: nmcli con modify ens19p0 connection.zone internal ...btw, the insertion of the 'p' was deliberate, I've seen more device names of that form. doublecheck your device name too. --Pete
On 6 November 2015 at 21:49, Pete Travis <lists at petetravis.com> wrote:> On Nov 6, 2015 3:31 PM, "Nick Bright" <nick.bright at valnet.net> wrote: >> >> Greetings, >> >> One of my biggest frustrations with CentOS 7 has been firewalld. >> >> Essentially all of the documentation just flat doesn't work. >> >> One common thing that needs to be done is to change the zone of an > interface, however I've tried: >> >> firewall-cmd --permanent --zone=internal --change-interface=ens192 >> firewall-cmd --permanent --zone=internal --add-interface=ens192 >> >> I've also tried setting in /etc/sysconfig/network-scripts/ifcfg-ens192: >> >> ZONE=internal >> ZONE="internal" >> >> No matter what, when firewalld starts, ens192 will be in the public zone. >> >> What am I doing wrong? Why does the documented command structure not work? >> >> -- >> ----------------------------------------------- >> - Nick Bright - > > Firewalld does physical interfaces, NetworkManager has profiles on top of > them. NM can specify a zone and communicate it to firewalld - which should > work from your ifcfg edit - but the reverse currently doesn't happen. Try > with nmcli: > > nmcli con modify ens19p0 connection.zone internal > > ...btw, the insertion of the 'p' was deliberate, I've seen more device > names of that form. doublecheck your device name too. > >I have a couple of relevant articles you may be interested in ... On assigning the zone via NM: https://www.hogarthuk.com/?q=node/8 Look down to the "Specifying a particular firewall zone" bit ... remember that if you edit the files rather than using nmcli you must reload NM (or do nmcli reload) for that to take effect. If you specify a zone in NM then this will override the firewalld configuration if the zone is specified there. Here's some firewalld stuff: https://www.hogarthuk.com/?q=node/9 Don't forget that if you use --permanent on a command you need to do a reload for it to read the config from disk and apply it.
https://bugzilla.redhat.com/show_bug.cgi?id=1112742 -- =======================================================================Ian Pilcher arequipeno at gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================