Bug 1772208
Summary: | firewalld not falling back to interface zone | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | mcolombo | |
Component: | firewalld | Assignee: | Eric Garver <egarver> | |
Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> | |
Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | high | |||
Version: | 8.1 | CC: | ajohn, cutaylor, egarver, huali, kwalker, mabrown, orion, ptalbert, spanjikk, todoleza, toneata | |
Target Milestone: | rc | Keywords: | Regression, Reopened, ZStream | |
Target Release: | 8.0 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | firewalld-0.8.0-3.el8 | Doc Type: | Bug Fix | |
Doc Text: |
.A configuration parameter has been added to `firewalld` to disable zone drifting
Previously, the `firewalld` service contained an undocumented behavior known as "zone drifting". RHEL 8.0 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone, `firewalld` denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.
By default, in RHEL 8.2, the new `AllowZoneDrifting` parameter in the `/etc/firewalld/firewalld.conf` file is set to `yes`. Note that, if the parameter is enabled, `firewalld` logs:
----
WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
----
|
Story Points: | --- | |
Clone Of: | ||||
: | 1796055 1797546 (view as bug list) | Environment: | ||
Last Closed: | 2020-04-28 16:51:23 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1796055, 1797546 |
Description
mcolombo
2019-11-13 22:04:00 UTC
This is not a bug. It's by design. In zone based firewalls (e.g. firewalld) packets ingress one and only one zone. See bug 1713823 and upstream issues; https://github.com/firewalld/firewalld/issues/258, https://github.com/firewalld/firewalld/issues/441, https://github.com/firewalld/firewalld/issues/535. Upstream documentation: https://firewalld.org/documentation/zone/ To get the desired behavior you'll need to add the necessary services/ports/etc to the source-based zone. *** Bug 1790681 has been marked as a duplicate of this bug. *** What's the status of this then? Is it a regression or expected behavior? It's certainly a notable change which doesn't appear to be in the 8.1 release notes. (In reply to Orion Poplawski from comment #25) > What's the status of this then? Is it a regression or expected behavior? > It's certainly a notable change which doesn't appear to be in the 8.1 > release notes. It's still currently being investigated and discussed. Upstream commits: bca4e6af91fc ("test: verify AllowZoneDrifting=yes") 1f7b5ffcd40d ("feat: ipXtables: support AllowZoneDrifting=yes") 517a061c5886 ("feat: nftables: support AllowZoneDrifting=yes") afadd377b09d ("feat: AllowZoneDrifting config option") Upstream blog post: https://firewalld.org/2020/01/allowzonedrifting Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1836 |