LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Firewall-cmd doesn't assign an interface permanently to a zone
From:	Peter Boy <[log in to unmask]>
Reply To:	Peter Boy <[log in to unmask]>
Date:	Wed, 31 Dec 2014 00:02:01 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (65 lines)

> Am 30.12.2014 um 12:17 schrieb Karel Lang AFD <[log in to unmask]>:
> 
> Hi,
> i already installed couple of SL7 boxes and i have to say, that the menitoned 'firewalld' is the new feature that i like the least.
> 
> What i do is, i just remove 'firewalld' and install 'iptables'. There i know what to do and there i could help you. But not with this.
> Firewalld is ugly (imho).
> 


I agree that firewalld by far is not the best feature of EL7, at least at the moment. And reading the maintainer’s comment on TUV bugzilla about firewall zone being a matter of NetworkManager and not of firewall I doubt the concept behind that implementation.

I tried iptables, but "systemctl status iptables" indicates again that the process is indeed active, but has terminated. And fail2bain requires firewalld and does not cooperate with iptables anymore. So I suppose I’m stuck with firewalld for now. 

I resolved the problem:

- I made the trusted zone default  (firewall-cmd —set-default-zone=trusted)
- I added the line „ZONE=public“ to the public interface definitions (ifcfg-eth0 and ifcfg-br0 in my case)  in /etc/sysconfig/network-scripts/.

After reboot  as well as after a „firewall-cmd —reload“  the public interfaces were in public zone and virbr0 was in trusted zone.

At first I found virbr0 was in zone internal after I stopped firewalld and restarted it again (in contrast to reboot and reload) until I remembered that I previously had assigned it to that zone using  --permanent --change-interface=virbr0. When I changed it to zone=trusted, everything was OK.

It was clearly a configuration error, nevertheless I think it is a bug it the same configuration silently creates different results.

I’m a bit unease to have trusted as the default zone. But at least it works.


Peter






—
Dr. Peter Boy
Universität Bremen
Mary-Somerville-Str. 5
28359 Bremen
Germany

[log in to unmask]
www.zes.uni-bremen.de

————————————————

Are you looking for a web content management system for scientific research organizations?
Have a look at http://www.scientificcms.org

—
Dr. Peter Boy
Universität Bremen
Mary-Somerville-Str. 5
28359 Bremen
Germany

[log in to unmask]
www.zes.uni-bremen.de

————————————————

Are you looking for a web content management system for scientific research organizations?
Have a look at http://www.scientificcms.org

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV