Which type of firewall filters ip traffic between a pair of bridged interfaces?
Expand section "17. Setting up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS backend" Collapse section "17. Setting up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS backend"
Show
Language and Page Formatting Options
Red Hat TrainingA Red Hat training course is available for RHEL 8 Chapter 47. Using and configuring firewalld A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through. # systemctl enable firewalld56 is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. # systemctl enable firewalld56 uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone. Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. # systemctl enable firewalld56 blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default. Note that # systemctl enable firewalld56 with # systemctl enable firewalld60 backend does not support passing custom # systemctl enable firewalld60 rules to # systemctl enable firewalld56, using the # systemctl enable firewalld63 option. 47.1. Getting started with # systemctl enable firewalld56This section provides information about # systemctl enable firewalld56. 47.1.1. When to use firewalld, nftables, or iptablesThe following is a brief overview in which scenario you should use one of the following utilities:
Important To prevent the different firewall services from influencing each other, run only one of them on a RHEL host, and disable the other services. 47.1.2. Zones # systemctl enable firewalld56 can be used to separate networks into different zones according to the level of trust that the user has decided to place on the interfaces and traffic within that network. A connection can only be part of one zone, but a zone can be used for many network connections. # systemctl enable firewalld78 notifies # systemctl enable firewalld56 of the zone of an interface. You can assign zones to interfaces with:
The latter three can only edit the appropriate # systemctl enable firewalld78 configuration files. If you change the zone of the interface using the web console, # systemctl enable firewalld82 or # systemctl enable firewalld81, the request is forwarded to # systemctl enable firewalld78 and is not handled by # systemctl enable firewalld56. The predefined zones are stored in the # systemctl enable firewalld88 directory and can be instantly applied to any available network interface. These files are copied to the # systemctl enable firewalld89 directory only after they are modified. The default settings of the predefined zones are as follows:
# systemctl enable firewalld91 and icmp6-adm-prohibited for # systemctl enable firewalld92. Only network connections initiated from within the system are possible. # systemctl enable firewalld93For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. # systemctl enable firewalld94Any incoming network packets are dropped without any notification. Only outgoing network connections are possible. # systemctl enable firewalld95For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. # systemctl enable firewalld96For use at home when you mostly trust the other computers on the network. Only selected incoming connections are accepted. # systemctl enable firewalld97For use on internal networks when you mostly trust the other computers on the network. Only selected incoming connections are accepted. # systemctl enable firewalld98For use in public areas where you do not trust other computers on the network. Only selected incoming connections are accepted. # systemctl enable firewalld99All network connections are accepted. # systemctl stop firewalld00For use at work where you mostly trust the other computers on the network. Only selected incoming connections are accepted. One of these zones is set as the default zone. When interface connections are added to # systemctl enable firewalld78, they are assigned to the default zone. On installation, the default zone in # systemctl enable firewalld56 is set to be the # systemctl enable firewalld98 zone. The default zone can be changed. Note The network zone names should be self-explanatory and to allow users to quickly make a reasonable decision. To avoid any security problems, review the default zone configuration and disable any unnecessary services according to your needs and risk assessments. Additional resources
47.1.3. Predefined servicesA service can be a list of local ports, protocols, source ports, and destinations, as well as a list of firewall helper modules automatically loaded if a service is enabled. Using services saves users time because they can achieve several tasks, such as opening ports, defining protocols, enabling packet forwarding and more, in a single step, rather than setting up everything one after another. Service configuration options and generic file information are described in the # systemctl stop firewalld05 man page. The services are specified by means of individual XML configuration files, which are named in the following format: # systemctl stop firewalld06. Protocol names are preferred over service or application names in # systemctl enable firewalld56. Services can be added and removed using the graphical # systemctl enable firewalld81 tool, # systemctl enable firewalld82, and # systemctl stop firewalld10. Alternatively, you can edit the XML files in the # systemctl stop firewalld11 directory. If a service is not added or changed by the user, then no corresponding XML file is found in # systemctl stop firewalld11. The files in the # systemctl stop firewalld13 directory can be used as templates if you want to add or change a service. Additional resources
47.1.4. Starting firewalldProcedure
47.1.5. Stopping firewalldProcedure
47.1.6. Verifying the permanent firewalld configurationIn certain situations, for example after manually editing # systemctl enable firewalld56 configuration files, administrators want to verify that the changes are correct. This section describes how to verify the permanent configuration of the # systemctl enable firewalld56 service. Prerequisites
Procedure
47.2. Viewing the current status and settings of # systemctl enable firewalld56This section covers information about viewing current status, allowed services, and current settings of # systemctl enable firewalld56. 47.2.1. Viewing the current status of # systemctl enable firewalld56The firewall service, # systemctl enable firewalld56, is installed on the system by default. Use the # systemctl enable firewalld56 CLI interface to check that the service is running. Procedure
47.2.2. Viewing allowed services using GUITo view the list of services using the graphical firewall-config tool, press the Super key to enter the Activities Overview, type # systemctl stop firewalld36, and press Enter. The firewall-config tool appears. You can now view the list of services under the # systemctl stop firewalld37 tab. You can start the graphical firewall configuration tool using the command-line. Prerequisites
Procedure
The # systemctl stop firewalld39 window opens. Note that this command can be run as a normal user, but you are prompted for an administrator password occasionally. 47.2.3. Viewing firewalld settings using CLIWith the CLI client, it is possible to get different views of the current firewall settings. The # systemctl stop firewalld40 option shows a complete overview of the # systemctl enable firewalld56 settings. # systemctl enable firewalld56 uses zones to manage the traffic. If a zone is not specified by the # systemctl stop firewalld43 option, the command is effective in the default zone assigned to the active network interface and connection. Procedure
Note Listing the settings for a certain subpart using the CLI tool can sometimes be difficult to interpret. For example, you allow the # systemctl stop firewalld47 service and # systemctl enable firewalld56 opens the necessary port (22) for the service. Later, if you list the allowed services, the list shows the # systemctl stop firewalld47 service, but if you list open ports, it does not show any. Therefore, it is recommended to use the # systemctl stop firewalld40 option to make sure you receive a complete information. 47.3. Controlling network traffic using # systemctl enable firewalld56This section covers information about controlling network traffic using # systemctl enable firewalld56. 47.3.1. Disabling all traffic in case of emergency using CLIIn an emergency situation, such as a system attack, it is possible to disable all network traffic and cut off the attacker. Procedure
Verification
47.3.2. Controlling traffic with predefined services using CLIThe most straightforward method to control traffic is to add a predefined service to # systemctl enable firewalld56. This opens all necessary ports and modifies other settings according to the service definition file. Procedure
47.3.3. Controlling traffic with predefined services using GUIThis procedure describes how to control the network traffic with predefined services using graphical user interface. Prerequisites
Procedure
The # systemctl stop firewalld59, # systemctl stop firewalld60, and # systemctl stop firewalld61 tabs enable adding, changing, and removing of ports, protocols, and source port for the selected service. The modules tab is for configuring Netfilter helper modules. The # systemctl stop firewalld62 tab enables limiting traffic to a particular destination address and Internet Protocol ( # systemctl enable firewalld91 or # systemctl enable firewalld92). Note It is not possible to alter service settings in the # systemctl stop firewalld65 mode. 47.3.4. Adding new servicesServices can be added and removed using the graphical firewall-config tool, # systemctl enable firewalld82, and # systemctl stop firewalld10. Alternatively, you can edit the XML files in # systemctl stop firewalld11. If a service is not added or changed by the user, then no corresponding XML file are found in # systemctl stop firewalld11. The files # systemctl stop firewalld13 can be used as templates if you want to add or change a service. Note Service names must be alphanumeric and can, additionally, include only # systemctl stop firewalld71 (underscore) and # systemctl stop firewalld72 (dash) characters. Procedure To add a new service in a terminal, use # systemctl enable firewalld82, or # systemctl stop firewalld10 in case of not active # systemctl enable firewalld56.
# systemctl enable firewalld56 loads files from # systemctl stop firewalld80 in the first place. If files are placed in # systemctl stop firewalld81 and they are valid, then these will override the matching files from # systemctl stop firewalld80. The overridden files in # systemctl stop firewalld80 are used as soon as the matching files in # systemctl stop firewalld81 have been removed or if # systemctl enable firewalld56 has been asked to load the defaults of the services. This applies to the permanent environment only. A reload is needed to get these fallbacks also in the runtime environment. 47.3.5. Opening ports using GUITo permit traffic through the firewall to a certain port, you can open the port in the GUI. Prerequisites
Procedure
47.3.6. Controlling traffic with protocols using GUITo permit traffic through the firewall using a certain protocol, you can use the GUI. Prerequisites
Procedure
47.3.7. Opening source ports using GUITo permit traffic through the firewall from a certain port, you can use the GUI. Prerequisites
Procedure
47.4. Controlling ports using CLIPorts are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port. Normally, system services listen on standard ports that are reserved for them. The # systemctl disable firewalld02 daemon, for example, listens on port 80. However, system administrators by default configure daemons to listen on different ports to enhance security or for other reasons. 47.4.1. Opening a portThrough open ports, the system is accessible from the outside, which represents a security risk. Generally, keep ports closed and only open them if they are required for certain services. Procedure To get a list of open ports in the current zone:
47.4.2. Closing a portWhen an open port is no longer needed, close that port in # systemctl enable firewalld56. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk. Procedure To close a port, remove it from the list of allowed ports:
47.5. Working with firewalld zonesZones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic. 47.5.1. Listing zonesThis procedure describes how to list zones using the command line. Procedure
47.5.2. Modifying firewalld settings for a certain zoneThe Controlling traffic with predefined services using cli and Controlling ports using cli explain how to add services or modify ports in the scope of the current working zone. Sometimes, it is required to set up rules in a different zone. Procedure
47.5.3. Changing the default zoneSystem administrators assign a zone to a networking interface in its configuration files. If an interface is not assigned to a specific zone, it is assigned to the default zone. After each restart of the # systemctl enable firewalld56 service, # systemctl enable firewalld56 loads the settings for the default zone and makes it active. Procedure To set up the default zone:
47.5.4. Assigning a network interface to a zoneIt is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them. Procedure To assign the zone to a specific interface:
47.5.5. Assigning a zone to a connection using nmcliThis procedure describes how to add a # systemctl enable firewalld56 zone to a # systemctl enable firewalld78 connection using the # systemctl disable firewalld22 utility. Procedure
47.5.6. Manually assigning a zone to a network connection in an ifcfg fileWhen the connection is managed by NetworkManager, it must be aware of a zone that it uses. For every network connection, a zone can be specified, which provides the flexibility of various firewall settings according to the location of the computer with portable devices. Thus, zones and settings can be specified for different locations, such as company or home. Procedure
47.5.7. Creating a new zoneTo use custom zones, create a new zone and use it just like a predefined zone. New zones require the # systemctl disable firewalld19 option, otherwise the command does not work. Procedure
47.5.8. Zone configuration filesZones can also be created using a zone configuration file. This approach can be helpful when you need to create a new zone, but want to reuse the settings from a different zone and only alter them a little. A # systemctl enable firewalld56 zone configuration file contains the information for a zone. These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format. The file name has to be # systemctl disable firewalld27 where the length of zone-name is currently limited to 17 chars. The zone configuration files are located in the # systemctl enable firewalld88 and # systemctl enable firewalld89 directories. The following example shows a configuration that allows one service ( # systemctl stop firewalld47) and one port range, for both the # systemctl disable firewalld31 and # systemctl disable firewalld32 protocols: # systemctl mask firewalld4 To change settings for that zone, add or remove sections to add ports, forward ports, services, and so on. Additional resources
47.5.9. Using zone targets to set default behavior for incoming trafficFor every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. There are four options:
Procedure To set a target for a zone:
Additional resources
47.6. Using zones to manage incoming traffic depending on a sourceYou can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic. If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface. 47.6.1. Adding a sourceTo route incoming traffic into a specific zone, add the source to that zone. The source can be an IP address or an IP mask in the classless inter-domain routing (CIDR) notation. Note In case you add multiple zones with an overlapping network range, they are ordered alphanumerically by zone name and only the first one is considered.
The following procedure allows all incoming traffic from 192.168.2.15 in the # systemctl enable firewalld99 zone: Procedure
47.6.2. Removing a sourceRemoving a source from the zone cuts off the traffic coming from it. Procedure
47.6.3. Adding a source portTo enable sorting the traffic based on a port of origin, specify a source port using the # systemctl disable firewalld45 option. You can also combine this with the # systemctl disable firewalld46 option to limit the traffic to a certain IP address or IP range. Procedure
47.6.4. Removing a source portBy removing a source port you disable sorting the traffic based on a port of origin. Procedure
47.6.5. Using zones and sources to allow a service for only a specific domainTo allow traffic from a specific network to use a service on a machine, use zones and source. The following procedure allows only HTTP traffic from the # systemctl disable firewalld47 network while any other traffic is blocked. Warning When you configure this scenario, use a zone that has the # systemctl disable firewalld39 target. Using a zone that has the target set to # systemctl disable firewalld34 is a security risk, because for traffic from # systemctl disable firewalld47, all network connections would be accepted. Procedure
Verification
Additional resources
47.7. Filtering forwarded traffic between zonesWith a policy object, users can group different identities that require similar permissions in the policy. You can apply policies depending on the direction of the traffic. The policy objects feature provides forward and output filtering in firewalld. The following describes the usage of firewalld to filter traffic between different zones to allow access to locally hosted VMs to connect the host. 47.7.1. The relationship between policy objects and zonesPolicy objects allow the user to attach firewalld’s primitives’ such as services, ports, and rich rules to the policy. You can apply the policy objects to traffic that passes between zones in a stateful and unidirectional manner. # firewall-cmd --check-config Error: INVALID_PROTOCOL: 'public.xml': 'tcpx' not from {'tcp'|'udp'|'sctp'|'dccp'}2 # systemctl disable firewalld56 and # systemctl disable firewalld57 are the symbolic zones used in the ingress and egress zone lists.
47.7.2. Using priorities to sort policiesMultiple policies can apply to the same set of traffic, therefore, priorities should be used to create an order of precedence for the policies that may be applied. To set a priority to sort the policies: # firewall-cmd --check-config Error: INVALID_PROTOCOL: 'public.xml': 'tcpx' not from {'tcp'|'udp'|'sctp'|'dccp'}3 In the above example -500 is a lower priority value but has higher precedence. Thus, -500 will execute before -100. Higher priority values have precedence over lower values. The following rules apply to policy priorities:
47.7.3. Using policy objects to filter traffic between locally hosted Containers and a network physically connected to the hostThe policy objects feature allows users to filter their container and virtual machine traffic. Procedure
Verification
47.7.4. Setting the default target of policy objectsYou can specify --set-target options for policies. The following targets are available:
Verification
47.8. Configuring NAT using firewalldWith # systemctl enable firewalld56, you can configure the following network address translation (NAT) types:
47.8.1. NAT typesThese are the different network address translation (NAT) types: Masquerading and source NAT (SNAT) Use one of these NAT types to change the source IP address of packets. For example, Internet Service Providers do not route private IP ranges, such as # systemctl disable firewalld62. If you use private IP ranges in your network and users should be able to reach servers on the Internet, map the source IP address of packets from these ranges to a public IP address. Masquerading and SNAT are very similar to one another. The differences are:
47.8.2. Configuring IP address masqueradingThe following procedure describes how to enable IP masquerading on your system. IP masquerading hides individual machines behind a gateway when accessing the Internet. Procedure
47.9. Using DNAT to forward HTTPS traffic to a different hostIf your web server runs in a DMZ with private IP addresses, you can configure destination network address translation (DNAT) to enable clients on the internet to connect to this web server. In this case, the host name of the web server resolves to the public IP address of the router. When a client establishes a connection to a defined port on the router, the router forwards the packets to the internal web server. Prerequisites
Procedure
Verification
Additional resources
47.10. Managing ICMP requestsThe # systemctl disable firewalld84 ( # systemctl disable firewalld85) is a supporting protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available. # systemctl disable firewalld85 differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems. Unfortunately, it is possible to use the # systemctl disable firewalld85 messages, especially # systemctl disable firewalld88 and # systemctl disable firewalld89, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, # systemctl enable firewalld56 enables blocking the # systemctl disable firewalld85 requests to protect your network information. 47.10.1. Listing and blocking ICMP requestsListing # systemctl disable firewalld85 requests The # systemctl disable firewalld85 requests are described in individual XML files that are located in the # systemctl disable firewalld94 directory. You can read these files to see a description of the request. The # systemctl enable firewalld82 command controls the # systemctl disable firewalld85 requests manipulation.
Blocking or unblocking # systemctl disable firewalld85 requests When your server blocks # systemctl disable firewalld85 requests, it does not provide the information that it normally would. However, that does not mean that no information is given at all. The clients receive information that the particular # systemctl disable firewalld85 request is being blocked (rejected). Blocking the # systemctl disable firewalld85 requests should be considered carefully, because it can cause communication problems, especially with IPv6 traffic.
Blocking # systemctl disable firewalld85 requests without providing any information at all Normally, if you block # systemctl disable firewalld85 requests, clients know that you are blocking it. So, a potential attacker who is sniffing for live IP addresses is still able to see that your IP address is online. To hide this information completely, you have to drop all # systemctl disable firewalld85 requests.
Now, all traffic, including # systemctl disable firewalld85 requests, is dropped, except traffic which you have explicitly allowed. To block and drop certain # systemctl disable firewalld85 requests and allow others:
The block inversion inverts the setting of the # systemctl disable firewalld85 requests blocks, so all requests, that were not previously blocked, are blocked because of the target of your zone changes to # systemctl disable firewalld37. The requests that were blocked are not blocked. This means that if you want to unblock a request, you must use the blocking command. To revert the block inversion to a fully permissive setting:
47.10.2. Configuring the ICMP filter using GUI
47.11. Setting and controlling IP sets using # systemctl enable firewalld56To see the list of IP set types supported by # systemctl enable firewalld56, enter the following command as root. $ 747.11.1. Configuring IP set options using CLIIP sets can be used in # systemctl enable firewalld56 zones as sources and also as sources in rich rules. In Red Hat Enterprise Linux, the preferred method is to use the IP sets created with # systemctl enable firewalld56 in a direct rule.
Only the creation and removal of IP sets is limited to the permanent environment, all other IP set options can be used also in the runtime environment without the # systemctl disable firewalld19 option. Warning Red Hat does not recommend using IP sets that are not managed through # systemctl enable firewalld56. To use such IP sets, a permanent direct rule is required to reference the set, and a custom service must be added to create these IP sets. This service needs to be started before # systemctl enable firewalld56 starts, otherwise # systemctl enable firewalld56 is not able to add the direct rules using these sets. You can add permanent direct rules with the # systemctl mask firewalld59 file. 47.12. Prioritizing rich rulesBy default, rich rules are organized based on their rule action. For example, # systemctl mask firewalld60 rules have precedence over # systemctl mask firewalld61 rules. The # systemctl mask firewalld62 parameter in rich rules provides administrators fine-grained control over rich rules and their execution order. 47.12.1. How the priority parameter organizes rules into different chainsYou can set the # systemctl mask firewalld62 parameter in a rich rule to any number between # systemctl mask firewalld64 and # systemctl mask firewalld65, and lower values have higher precedence. The # systemctl enable firewalld56 service organizes rules based on their priority value into different chains:
Inside these sub-chains, # systemctl enable firewalld56 sorts the rules based on their priority value. 47.12.2. Setting the priority of a rich ruleThe procedure describes an example of how to create a rich rule that uses the # systemctl mask firewalld62 parameter to log all traffic that is not allowed or denied by other rules. You can use this rule to flag unexpected traffic. Procedure
47.13. Configuring firewall lockdownLocal applications or services are able to change the firewall configuration if they are running as # systemctl stop firewalld16 (for example, libvirt). With this feature, the administrator can lock the firewall configuration so that either no applications or only applications that are added to the lockdown allow list are able to request firewall changes. The lockdown settings default to disabled. If enabled, the user can be sure that there are no unwanted configuration changes made to the firewall by local applications or services. 47.13.1. Configuring lockdown using CLIThis procedure describes how to enable or disable lockdown using the command line.
47.13.2. Configuring lockdown allowlist options using CLIThe lockdown allowlist can contain commands, security contexts, users and user IDs. If a command entry on the allowlist ends with an asterisk "*", then all command lines starting with that command will match. If the "*" is not there then the absolute command including arguments must match.
47.13.3. Configuring lockdown allowlist options using configuration filesThe default allowlist configuration file contains the # systemctl enable firewalld78 context and the default context of # firewall-cmd --check-config success15. The user ID 0 is also on the list. + The allowlist configuration files are stored in the # firewall-cmd --check-config success16 directory. # systemctl enable firewalld32 Following is an example allowlist configuration file enabling all commands for the # systemctl enable firewalld82 utility, for a user called user whose user ID is # firewall-cmd --check-config success18: # systemctl enable firewalld33 This example shows both # firewall-cmd --check-config success19 and # firewall-cmd --check-config success20, but only one option is required. Python is the interpreter and is prepended to the command line. You can also use a specific command, for example: # systemctl enable firewalld34 In that example, only the # firewall-cmd --check-config success21 command is allowed. In Red Hat Enterprise Linux, all utilities are placed in the # firewall-cmd --check-config success22 directory and the # firewall-cmd --check-config success23 directory is sym-linked to the # firewall-cmd --check-config success22 directory. In other words, although the path for # systemctl enable firewalld82 when entered as # systemctl stop firewalld16 might resolve to # firewall-cmd --check-config success27, # firewall-cmd --check-config success28 can now be used. All new scripts should use the new location. But be aware that if scripts that run as # systemctl stop firewalld16 are written to use the # firewall-cmd --check-config success27 path, then that command path must be added in the allowlist in addition to the # firewall-cmd --check-config success28 path traditionally used only for non- # systemctl stop firewalld16 users. The # firewall-cmd --check-config success33 at the end of the name attribute of a command means that all commands that start with this string match. If the # firewall-cmd --check-config success33 is not there then the absolute command including arguments must match. 47.14. Enabling traffic forwarding between different interfaces or sources within a firewalld zoneIntra-zone forwarding is a # systemctl enable firewalld56 feature that enables traffic forwarding between interfaces or sources within a # systemctl enable firewalld56 zone. 47.14.1. The difference between intra-zone forwarding and zones with the default target set to ACCEPTWhen intra-zone forwarding is enabled, the traffic within a single # systemctl enable firewalld56 zone can flow from one interface or source to another interface or source. The zone specifies the trust level of interfaces and sources. If the trust level is the same, communication between interfaces or sources is possible. Note that, if you enable intra-zone forwarding in the default zone of # systemctl enable firewalld56, it applies only to the interfaces and sources added to the current default zone. The # systemctl enable firewalld99 zone of # systemctl enable firewalld56 uses a default target set to # systemctl disable firewalld34. This zone accepts all forwarded traffic, and intra-zone forwarding is not applicable for it. As for other default target values, forwarded traffic is dropped by default, which applies to all standard zones except the trusted zone. 47.14.2. Using intra-zone forwarding to forward traffic between an Ethernet and Wi-Fi networkYou can use intra-zone forwarding to forward traffic between interfaces and sources within the same # systemctl enable firewalld56 zone. For example, use this feature to forward traffic between an Ethernet network connected to # firewall-cmd --check-config success43 and a Wi-Fi network connected to # firewall-cmd --check-config success44. Procedure
Verification The following verification steps require that the # firewall-cmd --check-config success50 package is installed on both hosts.
Additional resources
47.15. Configuring # systemctl enable firewalld56 using System RolesYou can use the # systemctl stop firewalld36 System Role to configure settings of the # systemctl enable firewalld56 service on multiple clients at once. This solution:
After you run the # systemctl stop firewalld36 role on the control node, the System Role applies the # systemctl enable firewalld56 parameters to the managed node immediately and makes them persistent across reboots. 47.15.1. Introduction to the # systemctl stop firewalld36 RHEL System RoleRHEL System Roles is a set of contents for the Ansible automation utility. This content together with the Ansible automation utility provides a consistent configuration interface to remotely manage multiple systems. The # firewall-cmd --check-config success63 role from the RHEL System Roles was introduced for automated configurations of the # systemctl enable firewalld56 service. The # firewall-cmd --check-config success65 package contains this System Role, and also the reference documentation. To apply the # systemctl enable firewalld56 parameters on one or more systems in an automated fashion, use the # systemctl stop firewalld36 System Role variable in a playbook. A playbook is a list of one or more plays that is written in the text-based YAML format. You can use an inventory file to define a set of systems that you want Ansible to configure. With the # systemctl stop firewalld36 role you can configure many different # systemctl enable firewalld56 parameters, for example:
Additional resources
47.15.2. Resetting the firewalld settings using the firewall RHEL System RoleWith the # systemctl stop firewalld36 RHEL system role, you can reset the # systemctl enable firewalld56 settings to their default state. If you add the # firewall-cmd --check-config success75 parameter to the variable list, the System Role removes all existing user-defined settings and resets # systemctl enable firewalld56 to the defaults. If you combine the # firewall-cmd --check-config success75 parameter with other settings, the # systemctl stop firewalld36 role removes all existing settings before applying new ones. Run this procedure on Ansible control node. Prerequisites
Procedure
If you do not specify the # firewall-cmd --check-config success86 option, # firewall-cmd --check-config success85 connects to the managed node as the user that is currently logged in to the control node. Verification
Additional resources
47.15.3. Forwarding incoming traffic from one local port to a different local portWith the # systemctl stop firewalld36 role you can remotely configure # systemctl enable firewalld56 parameters with persisting effect on multiple managed hosts. Perform this procedure on the Ansible control node. Prerequisites
Procedure
Verification
Additional resources
47.15.4. Configuring ports using System RolesYou can use the RHEL # systemctl stop firewalld36 System Role to open or close ports in the local firewall for incoming traffic and make the new configuration persist across reboots. The example describes how to configure the default zone to permit incoming traffic for the HTTPS service. Perform this procedure on the Ansible control node. Prerequisites
Procedure
Verification
|