.A configuration parameter has been added to `firewalld` to disable zone drifting
Previously, the `firewalld` service contained an undocumented behavior known as "zone drifting". RHEL 7.8 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone, `firewalld` denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.
By default, in RHEL 7.9, the new `AllowZoneDrifting` parameter in the `/etc/firewalld/firewalld.conf` file is set to `yes`. Note that, if the parameter is enabled, `firewalld` logs:
----
WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
----
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:3863
Upstream commits: bca4e6af91fc ("test: verify AllowZoneDrifting=yes") 1f7b5ffcd40d ("feat: ipXtables: support AllowZoneDrifting=yes") 517a061c5886 ("feat: nftables: support AllowZoneDrifting=yes") afadd377b09d ("feat: AllowZoneDrifting config option")