Re: [CentOS] firewalld question
On 25 March 2016 at 16:31, Matthew Miller wrote: > On Fri, Mar 25, 2016 at 11:26:17AM +, Timothy Murphy wrote: > > >> I'n wondering if it is possible to have Centos-7 automatically change > > >> firewall zones, depending on the network we conect to. > > > The way to do this is changing the zone for the network in > > > NetworkManager. > > Are there two different ways of setting firewalld zones, > > in firewalld and in NetworkManager? > > Which is taken if they differ? > > They can't differ — the configuration is stored in the ifcfg files, no > matter how you set it. > > > In this instance you're incorrect Matthew. If an interface is associated with a zone via firewalld then this config is in /etc/firewalld/zones/.xml with an interface element in the xml there. If NM has connection.zone modified to point to something this then would go into /etc/sysconfig/network-scripts/ifcfg-* (as ZONE=) And as a quick test the NM value overrides the firewalld one. To verify this in a VM, assuming an interface name of eth0, do the following: == Make the firewalld change == firewall-cmd --change-interface=eth0 --zone=work firewall-cmd --runtime-to-permanent == Verify the config == firewall-cmd --get-active-zones cat /etc/firewalld/zones/work.xml ** At this point the config all points to eth0 in work and verification confirms this ** == Make the NM change == nmcli c mod "System eth0" connection.zone home == Verify the config == firewall-cmd --get-active-zones cat /etc/sysconfig/network-scripts/ifcfg-eth0 cat /etc/firewalld/zones/work.xml ** At this point the firewalld config points to eth0 in work but the NM config points to home and verification confirms this different config but home in use ** == Note the persistence == reboot firewall-cmd --get-active-zones cat /etc/sysconfig/network-scripts/ifcfg-eth0 cat /etc/firewalld/zones/work.xml ** The same stituation pre reboot appears ** I assume this is the case as NM explicitly puts an interface into a zone as part of the connection profile coming up. I haven;t monitored dbus to see if firewalld brings it up on one and NM changes it or not... easy for someone else to test though ;) > I find the firewalld definition of "zones" rather confusing. > > I run shorewall on my home server, and that seems to me > > to have a much simpler definition of zones. > > Think of "zone" as "set of presets". > It's a really horrible UX issue frankly, I've seen it confuse many people at this point. This is made worse by the Fedora products creating their own zones and defaulting to those with EL7 using the firewalld upstream default of Public, which the name itself is confusing when it doesn't really relate to anything Public but is just a name. I've seen people assume work or home are detected by subnets or local net only for instance - when again it's just labels for the larger part, Upstream firewalld has been reluctant to change this though from what I've seen and you can't even remove the default zones nicely to get a clearer view of things. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld question
On Fri, Mar 25, 2016 at 11:26:17AM +, Timothy Murphy wrote: > >> I'n wondering if it is possible to have Centos-7 automatically change > >> firewall zones, depending on the network we conect to. > > The way to do this is changing the zone for the network in > > NetworkManager. > Are there two different ways of setting firewalld zones, > in firewalld and in NetworkManager? > Which is taken if they differ? They can't differ — the configuration is stored in the ifcfg files, no matter how you set it. > I find the firewalld definition of "zones" rather confusing. > I run shorewall on my home server, and that seems to me > to have a much simpler definition of zones. Think of "zone" as "set of presets". -- Matthew Miller Fedora Project Leader ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld question
Matthew Miller wrote: >> I'n wondering if it is possible to have Centos-7 automatically change >> firewall zones, depending on the network we conect to. > The way to do this is changing the zone for the network in > NetworkManager. Are there two different ways of setting firewalld zones, in firewalld and in NetworkManager? Which is taken if they differ? > (This works easily for wifi networks and is kind of a > pain for wired ones, unfortunately, since there's not necessarily a > good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I > don't remember offhand when this hit, but in Fedora, run the > NetworkManager config panel, hit config on a network, and change the > zone on the Security tab. > > Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for > the network. > > I'm hoping in the future to make this better, but there are actually a > lot of different parts involved so it's hard to get everyone to agree > on the best approach. > > I personally make "public" my default zone, and then add zones that > should be more trusted to networks that should be more open. I find the firewalld definition of "zones" rather confusing. I run shorewall on my home server, and that seems to me to have a much simpler definition of zones. -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld question
On Thu, Mar 24, 2016 at 06:39:37PM -0400, Matthew Miller wrote: Thanks for the info, Matthew! Fred > On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote: > > I'n wondering if it is possible to have Centos-7 automatically change > > firewall zones, depending on the network we conect to. > > The way to do this is changing the zone for the network in > NetworkManager. (This works easily for wifi networks and is kind of a > pain for wired ones, unfortunately, since there's not necessarily a > good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I > don't remember offhand when this hit, but in Fedora, run the > NetworkManager config panel, hit config on a network, and change the > zone on the Security tab. > > Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for > the network. > > I'm hoping in the future to make this better, but there are actually a > lot of different parts involved so it's hard to get everyone to agree > on the best approach. > > I personally make "public" my default zone, and then add zones that > should be more trusted to networks that should be more open. > > -- > Matthew Miller > > Fedora Project Leader > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Fred Smith -- fre...@fcshome.stoneham.ma.us - "Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of heaven, but only he who does the will of my Father who is in heaven." -- Matthew 7:21 (niv) - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld question
On Thu, Mar 24, 2016 at 09:18:16PM +, James Hogarth wrote: Thanks, James, that looks pretty good. I'll look into it and probably give it a try. Fred > On 24 March 2016 at 18:01, Fred Smith wrote: > > > Hi all! > > > > I'n wondering if it is possible to have Centos-7 automatically change > > firewall zones, depending on the network we conect to. > > > > my default zone is "home" and it has some ports open that probably > > shouldn't be open when I'm on someone elose's network. > > > > so I'm thinking that if there's a way to have it always use home when > > I'm at home, and external when I'm not, it would be great. > > > > I see that firewall-cmd has a ton of options, but not sure which one(s) > > I'd need for switching. (I see one for setting default zone, but I didn't > > see one for setting current zone--maybe I'm blind). > > > > I'm also not at all sure how to invoke it at a proper time,... perhaps > > some udev rules? > > > > > > anyone got any wisdom they can drop on me? > > > > > The default zones are poorly named and should never have been included - > especially given most of them aren't in use on any given system. > > For a look into how to make use of firewalld take a look at this: > > https://www.hogarthuk.com/?q=node/9 > > The best way to handle the scenario you describe would be multiple NM > connection profiles (don't have it set to auto) so that you can set > connection.zone correctly on each for the right network profile. > > Then when you nmcli c up work (or home or whatever) to bring up that > connection profile it'll come up in the right zone. > > This manual nmcli c up is only needed if these are ethernet profiles as > there's no link between subnet and connection profile > > If these are WiFi connections NM already has different connection profiles > and picks one to match the SSID - so you could set the right > connection.zone in that. > > The NM article goes into some details on connection profiles > > https://www.hogarthuk.com/?q=node/8 > > Alternatively if you know the subnets that will be connecting to you at > work and home you could set your default profile to reject and create zones > with appropriate incoming rules bound to the source subnets contacting your > system. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Fred Smith -- fre...@fcshome.stoneham.ma.us - God made him who had no sin to be sin for us, so that in him we might become the righteousness of God." --- Corinthians 5:21 - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld question
On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote: > I'n wondering if it is possible to have Centos-7 automatically change > firewall zones, depending on the network we conect to. The way to do this is changing the zone for the network in NetworkManager. (This works easily for wifi networks and is kind of a pain for wired ones, unfortunately, since there's not necessarily a good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I don't remember offhand when this hit, but in Fedora, run the NetworkManager config panel, hit config on a network, and change the zone on the Security tab. Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for the network. I'm hoping in the future to make this better, but there are actually a lot of different parts involved so it's hard to get everyone to agree on the best approach. I personally make "public" my default zone, and then add zones that should be more trusted to networks that should be more open. -- Matthew Miller Fedora Project Leader ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld question
On 24 March 2016 at 18:01, Fred Smith wrote: > Hi all! > > I'n wondering if it is possible to have Centos-7 automatically change > firewall zones, depending on the network we conect to. > > my default zone is "home" and it has some ports open that probably > shouldn't be open when I'm on someone elose's network. > > so I'm thinking that if there's a way to have it always use home when > I'm at home, and external when I'm not, it would be great. > > I see that firewall-cmd has a ton of options, but not sure which one(s) > I'd need for switching. (I see one for setting default zone, but I didn't > see one for setting current zone--maybe I'm blind). > > I'm also not at all sure how to invoke it at a proper time,... perhaps > some udev rules? > > > anyone got any wisdom they can drop on me? > > The default zones are poorly named and should never have been included - especially given most of them aren't in use on any given system. For a look into how to make use of firewalld take a look at this: https://www.hogarthuk.com/?q=node/9 The best way to handle the scenario you describe would be multiple NM connection profiles (don't have it set to auto) so that you can set connection.zone correctly on each for the right network profile. Then when you nmcli c up work (or home or whatever) to bring up that connection profile it'll come up in the right zone. This manual nmcli c up is only needed if these are ethernet profiles as there's no link between subnet and connection profile If these are WiFi connections NM already has different connection profiles and picks one to match the SSID - so you could set the right connection.zone in that. The NM article goes into some details on connection profiles https://www.hogarthuk.com/?q=node/8 Alternatively if you know the subnets that will be connecting to you at work and home you could set your default profile to reject and create zones with appropriate incoming rules bound to the source subnets contacting your system. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] firewalld question
Hi all! I'n wondering if it is possible to have Centos-7 automatically change firewall zones, depending on the network we conect to. my default zone is "home" and it has some ports open that probably shouldn't be open when I'm on someone elose's network. so I'm thinking that if there's a way to have it always use home when I'm at home, and external when I'm not, it would be great. I see that firewall-cmd has a ton of options, but not sure which one(s) I'd need for switching. (I see one for setting default zone, but I didn't see one for setting current zone--maybe I'm blind). I'm also not at all sure how to invoke it at a proper time,... perhaps some udev rules? anyone got any wisdom they can drop on me? thanks! -- Fred Smith -- fre...@fcshome.stoneham.ma.us - God made him who had no sin to be sin for us, so that in him we might become the righteousness of God." --- Corinthians 5:21 - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
