Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Unable to permanently set zone for not-NM-managed interface|
|Product:||[Fedora] Fedora||Reporter:||William Makowski <wfm692>|
|Component:||firewalld||Assignee:||Thomas Woerner <twoerner>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||18||CC:||amessina, gandr, jpopelka, pb, twoerner|
|Fixed In Version:||firewalld-0.3.0-1.fc19||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-06-21 04:50:24 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description William Makowski 2013-01-23 22:01:47 EST
Description of problem: I am not able to add a permanent entry in the trusted zone for the tun0 interface created by openvpn. It is necessary to use "firewall-cmd --zone=trusted --add-interface=tun0" after any restarts to open the firewall. This could just be a lack of knowledge on my part. I did try "firewall-cmd --permanent --zone=trusted --add-interface=tun0", but the program exited and showed the man page for firewall-cmd. Kind of neat, but unexpected. Version-Release number of selected component (if applicable): firewalld-0.2.12-1.fc18.noarch How reproducible: Attempt to create a permanent entry in trusted zone for interface tun0. Steps to Reproduce: 1. firewall-cmd --permanent --zone=trusted --add-interface=tun0 Actual results: tun0 Interface does not get added when the --permanent option is used with firewall-cmd. Program exits and shows firewall-cmd man page. Expected results: Establish the entry for tun0 so that it remains persistant after a restart.
Comment 1 Jiri Popelka 2013-01-24 04:25:32 EST
What zone the connection (interface) belongs to is the property of the connection and therefore can be permanently changed (as all the other connection properties) either in /etc/sysconfig/network-scripts/ifcfg-<iface> (ZONE key) or in NetworkManager GUI. If the interface is not NetworkManager (NM) managed then firewalld also does not know about it because it's NM what tells firewalld when to add/remove connection (interface) to/from which zone. Connection (interfaces) which are *not* NM managed are in default zone so the only possibility how to permanently add this interface to trusted zone is (if you don't want to add it manually after every restart) to change default zone to trusted. You'll need firewalld-0.2.12-2 (in updates-testing at the moment) because of bug #902845.
Comment 2 William Makowski 2013-01-24 08:01:28 EST
I appreciate you replying so quickly. In this case the interface (tun0) gets created dynamically by openvpn and NetworkManager is not aware of it. It looks like NetworkManager can configure outgoing vpn connections, but not an interface of this type. There are no references to tun0 in /etc/sysconfig/nework-scripts/ifcfg-xxxx. Perhaps this is something that needs to be addressed within NetworkManager or openvpn? However, the iptables way of doing things was to add it as a trusted interface. I can see how allowing the default zone to be trusted would work. However, I don't feel this is the best workaround since it might unintentionally open a hole further down the road. I'm considering adding an ExecStartPost to firstname.lastname@example.org to execute the firewalld-cmd.
Comment 3 Jiri Popelka 2013-01-29 06:24:19 EST
*** Bug 905293 has been marked as a duplicate of this bug. ***
Comment 4 Peter Bieringer 2013-05-03 01:55:53 EDT
I'm also hit by this bug like https://bugzilla.redhat.com/show_bug.cgi?id=905293, having some virtual systems running in KVM I have always manually setup some rules after startup: firewall-cmd --zone dmz --add-interface=virbr+ firewall-cmd --direct --add-rule ipv6 filter FWDO_ZONE_dmz 1 -j ACCEPT firewall-cmd --direct --add-rule ipv6 filter FWDI_ZONE_dmz 1 -j ACCEPT otherwise IPv6 application connectivity is blocked. None of the rules can be stored permanently, which is very strange and should be possible somehow. Please add a feature to support permanent storing of such rules. $ rpm -q firewalld firewalld-0.2.12-5.fc18.noarch BTW: it would be very good if firewalld would also support "router centric" configuration in addition to the "client centric" features it already has.
Comment 5 Jiri Popelka 2013-06-21 04:50:24 EDT
(In reply to William Makowski from comment #0) > Steps to Reproduce: > 1. firewall-cmd --permanent --zone=trusted --add-interface=tun0 This has been possible since 0.3.0 (Fedora-19 only), I'm closing this ticket. (In reply to Peter Bieringer from comment #4) > Please add a feature to support permanent storing of such rules. That's bug #815489, which should be addressed in near future.