Firewalld zones

Amicccoo · July 2, 2024, 2:20pm

Hi,

I’m new to AlmaLinux, so sorry if I do a basic question about Firewalld zones.
I’m using AlmaLinux 9.4 on a server and I’m trying to setup the permissions that I usually use on Centos 7 servers.
I have configured the public zone to allow access to http service on port 80.
Then, I have created a zone named “operator” where I allow access to port 22 for ssh service.
On this zone “operator” I added the source ip on my network connection, so only from my ip I can access to the ssh port.

With this configuration, on centos 7 everything is ok: from my ip address I’m able to acces to port 80 and to port 22.
On the AlmaLinux server, I’m not able to connect to the http port 80 defined in the public zone.
If I remove my ip from the source list of the “operator” zone, I can access to port 80 defined on the public zone.
For the moment, I added the port 80 even to the “operator” zone, in this way I can access to port 22 and to port 80 from my ip address.

Is this the right way to manage zones on AlmaLinux?
On Centos 7, firewalld accept the connection if the rules set on the public zone are satisfied, while on AlmaLinux it seems that the definition of the source ip on the “operator” zone is precluding the access to port 80 defined on the public zone.

Is this right, or am I doing something wrong?

Thanks a lot for your help

jlehtone · July 2, 2024, 5:08pm

That was a logical error that should never have been there in the first place. The FirewallD in el7 did pass traffic that was not handled by the first zone (operator) into default (public), if the operator did not explicitly deny packages (the target) that it did not allow. That FirewallD did make a note about that in its latest versions.

The el8 and el9 FirewallD does the Right Thing. If a zone does not explicitly allow or deny something, then the packet hits the terminal reject.

You have two sets of “clients”. One set, “operator”, has only one machine. The other set, “public”, has everyone else.

The “operator” lists all the rules that are applied to members of “zone operator”. If you want them to access 22 and 80, then you have rules to allow 22 and 80 in that zone.

If you want everyone else to have access to only 80, then their zone should allow only 80.

You can see the actual ruleset (that is in kernel) generated by FirewallD with:

sudo nft list ruleset

Amicccoo · July 2, 2024, 9:35pm

Thanks jlehtone for your clear answer.
Now it’s clear to me how to set the zones on Firewalld, I always used el7, but now I’m switching to AlmaLinux 9.

Thank you very much for your explanation.