Matthew Miller wrote:>> I'n wondering if it is possible to have Centos-7 automatically change >> firewall zones, depending on the network we conect to.> The way to do this is changing the zone for the network in > NetworkManager.Are there two different ways of setting firewalld zones, in firewalld and in NetworkManager? Which is taken if they differ?> (This works easily for wifi networks and is kind of a > pain for wired ones, unfortunately, since there's not necessarily a > good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I > don't remember offhand when this hit, but in Fedora, run the > NetworkManager config panel, hit config on a network, and change the > zone on the Security tab. > > Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for > the network. > > I'm hoping in the future to make this better, but there are actually a > lot of different parts involved so it's hard to get everyone to agree > on the best approach. > > I personally make "public" my default zone, and then add zones that > should be more trusted to networks that should be more open.I find the firewalld definition of "zones" rather confusing. I run shorewall on my home server, and that seems to me to have a much simpler definition of zones. -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin
On Fri, Mar 25, 2016 at 11:26:17AM +0000, Timothy Murphy wrote:> >> I'n wondering if it is possible to have Centos-7 automatically change > >> firewall zones, depending on the network we conect to. > > The way to do this is changing the zone for the network in > > NetworkManager. > Are there two different ways of setting firewalld zones, > in firewalld and in NetworkManager? > Which is taken if they differ?They can't differ ? the configuration is stored in the ifcfg files, no matter how you set it.> I find the firewalld definition of "zones" rather confusing. > I run shorewall on my home server, and that seems to me > to have a much simpler definition of zones.Think of "zone" as "set of presets". -- Matthew Miller <mattdm at fedoraproject.org> Fedora Project Leader
On 25 March 2016 at 16:31, Matthew Miller <mattdm at mattdm.org> wrote:> On Fri, Mar 25, 2016 at 11:26:17AM +0000, Timothy Murphy wrote: > > >> I'n wondering if it is possible to have Centos-7 automatically change > > >> firewall zones, depending on the network we conect to. > > > The way to do this is changing the zone for the network in > > > NetworkManager. > > Are there two different ways of setting firewalld zones, > > in firewalld and in NetworkManager? > > Which is taken if they differ? > > They can't differ ? the configuration is stored in the ifcfg files, no > matter how you set it. > > >In this instance you're incorrect Matthew. If an interface is associated with a zone via firewalld then this config is in /etc/firewalld/zones/<zonename>.xml with an interface element in the xml there. If NM has connection.zone modified to point to something this then would go into /etc/sysconfig/network-scripts/ifcfg-* (as ZONE=) And as a quick test the NM value overrides the firewalld one. To verify this in a VM, assuming an interface name of eth0, do the following: == Make the firewalld change =firewall-cmd --change-interface=eth0 --zone=work firewall-cmd --runtime-to-permanent == Verify the config =firewall-cmd --get-active-zones cat /etc/firewalld/zones/work.xml ** At this point the config all points to eth0 in work and verification confirms this ** == Make the NM change =nmcli c mod "System eth0" connection.zone home == Verify the config =firewall-cmd --get-active-zones cat /etc/sysconfig/network-scripts/ifcfg-eth0 cat /etc/firewalld/zones/work.xml ** At this point the firewalld config points to eth0 in work but the NM config points to home and verification confirms this different config but home in use ** == Note the persistence =reboot firewall-cmd --get-active-zones cat /etc/sysconfig/network-scripts/ifcfg-eth0 cat /etc/firewalld/zones/work.xml ** The same stituation pre reboot appears ** I assume this is the case as NM explicitly puts an interface into a zone as part of the connection profile coming up. I haven;t monitored dbus to see if firewalld brings it up on one and NM changes it or not... easy for someone else to test though ;)> I find the firewalld definition of "zones" rather confusing. > > I run shorewall on my home server, and that seems to me > > to have a much simpler definition of zones. > > Think of "zone" as "set of presets". >It's a really horrible UX issue frankly, I've seen it confuse many people at this point. This is made worse by the Fedora products creating their own zones and defaulting to those with EL7 using the firewalld upstream default of Public, which the name itself is confusing when it doesn't really relate to anything Public but is just a name. I've seen people assume work or home are detected by subnets or local net only for instance - when again it's just labels for the larger part, Upstream firewalld has been reluctant to change this though from what I've seen and you can't even remove the default zones nicely to get a clearer view of things.