I have two servers with different versions of RHEL and firewalld. Both are configured the same, but they are behaving differently when I add a source IP to a zone.
Server A:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
# firewall-cmd --version
0.6.3
Server B:
# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)
# firewall-cmd --version
1.2.5
Both servers have a very basic firewalld config, and I can ssh into both of them (note the inclusion of the ssh service in both configs):
A:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: dhcpv6-client mysql ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
B:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno8303
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The servers are going to host a MariaDB database so I need to ensure port 3306 is allowed. With no other changes, I run the following commands which (from experience) allows port 3306 traffic from the specific IP address 192.168.1.2:
# firewall-cmd --new-zone=test --permanent
success
# firewall-cmd --zone=test --add-source=192.168.1.2 --permanent
success
# firewall-cmd --zone=test --add-port=3306/tcp --permanent
success
# firewall-cmd --reload
After running these commands, I can still SSH into Server A from IP address 192.168.1.2, but I can't SSH into Server B. I can, however, SSH into Server B from other machines. From 192.168.1.2 into Server B I get:
# ssh ServerB
ssh: connect to host ServerB port 22: No route to host
If I create the zone without the --add-source
option, SSH works fine, so it seems like this option has a different behaviour on the newer server. Is that correct? I cannot find any other reason for this not working.
It looks like older versions of firewalld were allowing Zone Drifting.
What is zone drifting?
A user may configure a source-based zoneFoo - a zone to which you’ve added sources via --add-source. If zoneFoo uses a --set-target of default, then the packets will be allowed to ingress a second interface-based zone. This includes the catch-all default zone.
Sources:
Firewalld blog post: https://firewalld.org/2020/01/allowzonedrifting
Alma Linux forum: https://almalinux.discourse.group/t/adding-source-ip-to-specific-zone-prevents-same-ip-from-accessing-services-in-other-zones/2539/3