Bug 1796055
Summary: | firewalld not falling back to interface zone | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Eric Garver <egarver> | |
Component: | firewalld | Assignee: | Eric Garver <egarver> | |
Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> | |
Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | high | |||
Version: | 7.8 | CC: | cutaylor, egarver, fhallal, jmaxwell, kwalker, mabrown, mcolombo, orion, ptalbert, spanjikk, todoleza, toneata | |
Target Milestone: | rc | Keywords: | Regression, Reopened, ZStream | |
Target Release: | 7.9 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | firewalld-0.6.3-9.el7 | Doc Type: | Bug Fix | |
Doc Text: |
.A configuration parameter has been added to `firewalld` to disable zone drifting
Previously, the `firewalld` service contained an undocumented behavior known as "zone drifting". RHEL 7.8 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone, `firewalld` denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.
By default, in RHEL 7.9, the new `AllowZoneDrifting` parameter in the `/etc/firewalld/firewalld.conf` file is set to `yes`. Note that, if the parameter is enabled, `firewalld` logs:
----
WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
----
|
Story Points: | --- | |
Clone Of: | 1772208 | |||
: | 1802646 (view as bug list) | Environment: | ||
Last Closed: | 2020-09-29 19:21:17 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1772208 | |||
Bug Blocks: | 1797742, 1802646 |
Comment 6
Eric Garver
2020-01-30 22:26:15 UTC
Upstream blog post: https://firewalld.org/2020/01/allowzonedrifting Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3863 |