Red Hat Bugzilla – Bug 903456
Unable to permanently set zone for not-NM-managed interface
Last modified: 2013-06-21 04:50:24 EDT
Description of problem:
I am not able to add a permanent entry in the trusted zone for the tun0 interface created by openvpn. It is necessary to use "firewall-cmd --zone=trusted --add-interface=tun0" after any restarts to open the firewall. This could just be a lack of knowledge on my part. I did try "firewall-cmd --permanent --zone=trusted --add-interface=tun0", but the program exited and showed the man page for firewall-cmd. Kind of neat, but unexpected.
Version-Release number of selected component (if applicable):
Attempt to create a permanent entry in trusted zone for interface tun0.
Steps to Reproduce:
1. firewall-cmd --permanent --zone=trusted --add-interface=tun0
tun0 Interface does not get added when the --permanent option is used with firewall-cmd. Program exits and shows firewall-cmd man page.
Establish the entry for tun0 so that it remains persistant after a restart.
What zone the connection (interface) belongs to is the property of the connection and therefore can be permanently changed (as all the other connection properties) either in /etc/sysconfig/network-scripts/ifcfg-<iface> (ZONE key) or in NetworkManager GUI.
If the interface is not NetworkManager (NM) managed then firewalld also does not know about it because it's NM what tells firewalld when to add/remove connection (interface) to/from which zone.
Connection (interfaces) which are *not* NM managed are in default zone so the only possibility how to permanently add this interface to trusted zone is (if you don't want to add it manually after every restart) to change default zone to trusted. You'll need firewalld-0.2.12-2 (in updates-testing at the moment) because of bug #902845.
I appreciate you replying so quickly. In this case the interface (tun0) gets created dynamically by openvpn and NetworkManager is not aware of it. It looks like NetworkManager can configure outgoing vpn connections, but not an interface of this type. There are no references to tun0 in /etc/sysconfig/nework-scripts/ifcfg-xxxx. Perhaps this is something that needs to be addressed within NetworkManager or openvpn? However, the iptables way of doing things was to add it as a trusted interface.
I can see how allowing the default zone to be trusted would work. However, I don't feel this is the best workaround since it might unintentionally open a hole further down the road. I'm considering adding an ExecStartPost to firstname.lastname@example.org to execute the firewalld-cmd.
*** Bug 905293 has been marked as a duplicate of this bug. ***
I'm also hit by this bug like https://bugzilla.redhat.com/show_bug.cgi?id=905293, having some virtual systems running in KVM I have always manually setup some rules after startup:
firewall-cmd --zone dmz --add-interface=virbr+
firewall-cmd --direct --add-rule ipv6 filter FWDO_ZONE_dmz 1 -j ACCEPT
firewall-cmd --direct --add-rule ipv6 filter FWDI_ZONE_dmz 1 -j ACCEPT
otherwise IPv6 application connectivity is blocked. None of the rules can be stored permanently, which is very strange and should be possible somehow.
Please add a feature to support permanent storing of such rules.
$ rpm -q firewalld
BTW: it would be very good if firewalld would also support "router centric" configuration in addition to the "client centric" features it already has.
(In reply to William Makowski from comment #0)
> Steps to Reproduce:
> 1. firewall-cmd --permanent --zone=trusted --add-interface=tun0
This has been possible since 0.3.0 (Fedora-19 only), I'm closing this ticket.
(In reply to Peter Bieringer from comment #4)
> Please add a feature to support permanent storing of such rules.
That's bug #815489, which should be addressed in near future.