Subject: | |
From: | |
Reply To: | |
Date: | Wed, 31 Dec 2014 00:02:01 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
> Am 30.12.2014 um 12:17 schrieb Karel Lang AFD <[log in to unmask]>:
>
> Hi,
> i already installed couple of SL7 boxes and i have to say, that the menitoned 'firewalld' is the new feature that i like the least.
>
> What i do is, i just remove 'firewalld' and install 'iptables'. There i know what to do and there i could help you. But not with this.
> Firewalld is ugly (imho).
>
I agree that firewalld by far is not the best feature of EL7, at least at the moment. And reading the maintainer’s comment on TUV bugzilla about firewall zone being a matter of NetworkManager and not of firewall I doubt the concept behind that implementation.
I tried iptables, but "systemctl status iptables" indicates again that the process is indeed active, but has terminated. And fail2bain requires firewalld and does not cooperate with iptables anymore. So I suppose I’m stuck with firewalld for now.
I resolved the problem:
- I made the trusted zone default (firewall-cmd —set-default-zone=trusted)
- I added the line „ZONE=public“ to the public interface definitions (ifcfg-eth0 and ifcfg-br0 in my case) in /etc/sysconfig/network-scripts/.
After reboot as well as after a „firewall-cmd —reload“ the public interfaces were in public zone and virbr0 was in trusted zone.
At first I found virbr0 was in zone internal after I stopped firewalld and restarted it again (in contrast to reboot and reload) until I remembered that I previously had assigned it to that zone using --permanent --change-interface=virbr0. When I changed it to zone=trusted, everything was OK.
It was clearly a configuration error, nevertheless I think it is a bug it the same configuration silently creates different results.
I’m a bit unease to have trusted as the default zone. But at least it works.
Peter
—
Dr. Peter Boy
Universität Bremen
Mary-Somerville-Str. 5
28359 Bremen
Germany
[log in to unmask]
www.zes.uni-bremen.de
————————————————
Are you looking for a web content management system for scientific research organizations?
Have a look at http://www.scientificcms.org
—
Dr. Peter Boy
Universität Bremen
Mary-Somerville-Str. 5
28359 Bremen
Germany
[log in to unmask]
www.zes.uni-bremen.de
————————————————
Are you looking for a web content management system for scientific research organizations?
Have a look at http://www.scientificcms.org
|
|
|