Bug 903456 - Unable to permanently set zone for not-NM-managed interface
Unable to permanently set zone for not-NM-managed interface
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
18
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
: 905293 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-23 22:01 EST by William Makowski
Modified: 2013-06-21 04:50 EDT (History)
5 users (show)

See Also:
Fixed In Version: firewalld-0.3.0-1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-21 04:50:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description William Makowski 2013-01-23 22:01:47 EST
Description of problem:
I am not able to add a permanent entry in the trusted zone for the tun0 interface created by openvpn. It is necessary to use "firewall-cmd --zone=trusted --add-interface=tun0" after any restarts to open the firewall. This could just be a lack of knowledge on my part. I did try "firewall-cmd --permanent --zone=trusted --add-interface=tun0", but the program exited and showed the man page for firewall-cmd.  Kind of neat, but unexpected.

Version-Release number of selected component (if applicable):
firewalld-0.2.12-1.fc18.noarch

How reproducible:
Attempt to create a permanent entry in trusted zone for interface tun0.

Steps to Reproduce:
1. firewall-cmd --permanent --zone=trusted --add-interface=tun0
  
Actual results:
tun0 Interface does not get added when the --permanent option is used with firewall-cmd. Program exits and shows firewall-cmd man page.

Expected results:
Establish the entry for tun0 so that it remains persistant after a restart.
Comment 1 Jiri Popelka 2013-01-24 04:25:32 EST
What zone the connection (interface) belongs to is the property of the connection and therefore can be permanently changed (as all the other connection properties) either in /etc/sysconfig/network-scripts/ifcfg-<iface> (ZONE key) or in NetworkManager GUI.

If the interface is not NetworkManager (NM) managed then firewalld also does not know about it because it's NM what tells firewalld when to add/remove connection (interface) to/from which zone.

Connection (interfaces) which are *not* NM managed are in default zone so the only possibility how to permanently add this interface to trusted zone is (if you don't want to add it manually after every restart) to change default zone to trusted. You'll need firewalld-0.2.12-2 (in updates-testing at the moment) because of bug #902845.
Comment 2 William Makowski 2013-01-24 08:01:28 EST
I appreciate you replying so quickly.  In this case the interface (tun0) gets created dynamically by openvpn and NetworkManager is not aware of it.  It looks like NetworkManager can configure outgoing vpn connections, but not an interface of this type.  There are no references to tun0 in /etc/sysconfig/nework-scripts/ifcfg-xxxx.  Perhaps this is something that needs to be addressed within NetworkManager or openvpn?  However, the iptables way of doing things was to add it as a trusted interface.

I can see how allowing the default zone to be trusted would work.  However, I don't feel this is the best workaround since it might unintentionally open a hole further down the road.  I'm considering adding an ExecStartPost to openvpn@xxxxxx.service to execute the firewalld-cmd.
Comment 3 Jiri Popelka 2013-01-29 06:24:19 EST
*** Bug 905293 has been marked as a duplicate of this bug. ***
Comment 4 Peter Bieringer 2013-05-03 01:55:53 EDT
I'm also hit by this bug like https://bugzilla.redhat.com/show_bug.cgi?id=905293, having some virtual systems running in KVM I have always manually setup some rules after startup:

firewall-cmd --zone dmz --add-interface=virbr+
firewall-cmd --direct --add-rule ipv6 filter FWDO_ZONE_dmz 1 -j ACCEPT
firewall-cmd --direct --add-rule ipv6 filter FWDI_ZONE_dmz 1 -j ACCEPT

otherwise IPv6 application connectivity is blocked. None of the rules can be stored permanently, which is very strange and should be possible somehow.

Please add a feature to support permanent storing of such rules.

$ rpm -q firewalld
firewalld-0.2.12-5.fc18.noarch

BTW: it would be very good if firewalld would also support "router centric" configuration in addition to the "client centric" features it already has.
Comment 5 Jiri Popelka 2013-06-21 04:50:24 EDT
(In reply to William Makowski from comment #0)
> Steps to Reproduce:
> 1. firewall-cmd --permanent --zone=trusted --add-interface=tun0

This has been possible since 0.3.0 (Fedora-19 only), I'm closing this ticket.

(In reply to Peter Bieringer from comment #4)
> Please add a feature to support permanent storing of such rules.

That's bug #815489, which should be addressed in near future.

Note You need to log in before you can comment on or make changes to this bug.