Bug 903456
Summary: | Unable to permanently set zone for not-NM-managed interface | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | William Makowski <wfm692> |
Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | amessina, gandr, jpopelka, pb, twoerner |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | firewalld-0.3.0-1.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-21 08:50:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
William Makowski
2013-01-24 03:01:47 UTC
What zone the connection (interface) belongs to is the property of the connection and therefore can be permanently changed (as all the other connection properties) either in /etc/sysconfig/network-scripts/ifcfg-<iface> (ZONE key) or in NetworkManager GUI. If the interface is not NetworkManager (NM) managed then firewalld also does not know about it because it's NM what tells firewalld when to add/remove connection (interface) to/from which zone. Connection (interfaces) which are *not* NM managed are in default zone so the only possibility how to permanently add this interface to trusted zone is (if you don't want to add it manually after every restart) to change default zone to trusted. You'll need firewalld-0.2.12-2 (in updates-testing at the moment) because of bug #902845. I appreciate you replying so quickly. In this case the interface (tun0) gets created dynamically by openvpn and NetworkManager is not aware of it. It looks like NetworkManager can configure outgoing vpn connections, but not an interface of this type. There are no references to tun0 in /etc/sysconfig/nework-scripts/ifcfg-xxxx. Perhaps this is something that needs to be addressed within NetworkManager or openvpn? However, the iptables way of doing things was to add it as a trusted interface. I can see how allowing the default zone to be trusted would work. However, I don't feel this is the best workaround since it might unintentionally open a hole further down the road. I'm considering adding an ExecStartPost to openvpn to execute the firewalld-cmd. *** Bug 905293 has been marked as a duplicate of this bug. *** I'm also hit by this bug like https://bugzilla.redhat.com/show_bug.cgi?id=905293, having some virtual systems running in KVM I have always manually setup some rules after startup: firewall-cmd --zone dmz --add-interface=virbr+ firewall-cmd --direct --add-rule ipv6 filter FWDO_ZONE_dmz 1 -j ACCEPT firewall-cmd --direct --add-rule ipv6 filter FWDI_ZONE_dmz 1 -j ACCEPT otherwise IPv6 application connectivity is blocked. None of the rules can be stored permanently, which is very strange and should be possible somehow. Please add a feature to support permanent storing of such rules. $ rpm -q firewalld firewalld-0.2.12-5.fc18.noarch BTW: it would be very good if firewalld would also support "router centric" configuration in addition to the "client centric" features it already has. (In reply to William Makowski from comment #0) > Steps to Reproduce: > 1. firewall-cmd --permanent --zone=trusted --add-interface=tun0 This has been possible since 0.3.0 (Fedora-19 only), I'm closing this ticket. (In reply to Peter Bieringer from comment #4) > Please add a feature to support permanent storing of such rules. That's bug #815489, which should be addressed in near future. |