Questions[firewalld-zone](server)

I'm new in firewallcmd managment, so probably I'm asking a simple question. What I have to do is allow all incoming connections except for some IPs.

To block IPs I used the "block" zone:

firewall-cmd --zone=block --add-source=5.13.70.0/24
firewall-cmd --zone=block --add-source=192.168.10.2

This is working perfect on all interfaces, but what I have to do now is allow ALL incoming/outgoing traffic from/to other IPs.

For sure I can use the following to enable specific IP:

firewall-cmd --zone=trusted --add-source=10.5.123.0/24

But I need to block only some IPs who try to connect to my server and allow the rest of the traffic. Any clue? Thank you Lucas

EDIT: Well, maybe I can use this one to allow all, keeping IPs in block zone:

firewall-cmd --zone=trusted --add-source=0.0.0.0/0

This should allow all inconming/outgoing traffic except from IP in block zone. Am I wrong?

I am building a new server and i am using Firewalld for the first time.

I have a loadbalancer that takes public ip requests and routes them to one of my servers with internal IPs

These servers have both public and private ips.

The public ips are restricted access to one IP and that works.

What i am trying to allow all requests to 192.168.194.138 to have access to all ports

I have tried creating a service /etc/firewalld/services/internalIP.xml and have added the service to the trusted zone, but does not make a difference.

I can not access 192.168.194.138 unless I disable Firewalld.

My public IP is on eth0 and my private ip is on eth0:1

This is internalIP.xml :

<?xml version="1.0" encoding="utf-8"?>
<service>
  <description>Allow all on non-routable ip</description>
  <destination ipv4="192.168.194.138" />
</service>

These are my zones:

firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 220/tcp 10016/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

and

firewall-cmd --zone=trusted --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources: 67.my.ip
  services: internalIP
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I upgraded my server to Fedora 32. Firewalld has switched the backend to Nftables.

My setup is pretty simple. Just HTTP, HTTPS, SSH, SMTP ports open and multiple IPsets (IPv4, IPv6) to block a preset list of IP addresses. Earlier I used to do everything in Iptables with Ipsets but right now I'm trying to upgrade my setup to Nftables and I'm using Firewalld for this.

$ firewall-cmd --zone=public --permanent --add-service=ssh
$ firewall-cmd --zone=public --permanent --add-service=http
$ firewall-cmd --zone=public --permanent --add-service=https
$ firewall-cmd --zone=public --permanent --add-service=smtp
###
Till here things are fine. firewall-cmd --reload works perfectly.
###
$ firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet
$ firewall-cmd --permanent --new-ipset=blacklist6 --type=hash:net --option=family=inet6
$ firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
$ firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist6
$ firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=blacklist.txt
$ firewall-cmd --permanent --ipset=blacklist6 --add-entries-from-file=blacklist6.txt

The moment I run firewall-cmd --reload I see the below error and all the traffic to my server gets blocked except SSH, which is already established. New SSH connection is also blocked.

$ firewall-cmd --reload
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "raw_PRE_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "mangle_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWDO_public"}}]}}}]}

I've googled a bit and found that IPset is not required in Nftables since nftables have something called sets. How do I configure Nftables sets using Firewalld? Please guide if I'm going wrong.

Thanks in advance.

We have a puppet module (v3.6.2 as we're using it for Satellite 6)

The module works as expected, except when adding multiple sources to a zone. It will add the zone and then add one souce, then error out trying to add the second source to the zone with the message:

INVALID_ZONE: backup

Running the module a second time successfully adds sources 2 and 3.

The zone is being created successfully and the firewalld reload is triggering, but it's almost as if it doesn't finish the reload as it doesn't see the newly added "backup" zone as being valid for the second and third sources.

Module Code:

class firewalld(
    $enabled = true,
    $package_name = 'firewalld',
    $service_name = 'firewalld',
    $config_dir = '/etc/firewalld',
    $zone_create = [],
    $zone_remove = [],
    $zone_set_default = '',
    $zone_add_source = hiera_hash('firewalld::zone_add_source', { }),
    $zone_add_service = hiera_hash('firewalld::zone_add_service', { }))
{

    if $enabled {
        $service_ensure = 'running'
        $service_enable = true
        $package_ensure = 'present'
        $config_ensure = 'present'
        Package["$package_name"] -> File["$config_dir"]
        File["$config_dir"] -> Service["$service_name"]
    } else {
        $service_ensure = 'stopped'
        $service_enable = false
        $package_ensure = 'absent'
        $config_ensure = 'absent'
        Service["$service_name"] -> File["$config_dir"]
        File["$config_dir"] -> Package["$package_name"]
    }

    package { "$package_name":
        ensure => $package_ensure,
    }

    file { "$config_dir":
        ensure => $config_ensure,
        force  => true,
    }

    service { "$service_name":
        ensure     => $service_ensure,
        enable     => $service_enable,
        hasrestart => true,
        hasstatus  => true,
    }

    exec { 'firewalld_reload':
        onlyif      => 'systemctl -q is-enabled firewalld.service',
        path        => '/bin:/usr/bin:/sbin:/usr/sbin',
        # command     => "systemctl restart firewalld.service",
        command     => "firewall-cmd --reload",
        refreshonly => true,
    }

    define firewalld_zone_create() {
        exec { "firewalld_zone_create_${name}":
            path    => '/bin:/usr/bin:/sbin:/usr/sbin',
            command => "firewall-cmd --permanent --new-zone=${name}",
            unless  => "firewall-cmd --permanent --get-zones | grep -qw ${name}",
            notify  => Exec['firewalld_reload'],
            require => Service['firewalld'],
        }
    }

    define firewalld_zone_add_source($zone, $source) {
        exec { "firewalld_${zone}_add_source_${source}":
            path    => '/bin:/usr/bin:/sbin:/usr/sbin',
            command => "firewall-cmd --permanent --zone=${zone} --add-source=${source}",
            unless  => "firewall-cmd -q --permanent --zone=${zone} --query-source=${source}",
            notify  => Exec['firewalld_reload'],
            require => Service['firewalld'],
        }
    }

    if $enabled {
        firewalld_zone_create{ $zone_create: } -> firewalld_zone_set_default_zone{ $zone_set_default: }
        create_resources('firewalld_zone_add_service', $zone_add_service)
        create_resources('firewalld_zone_add_source', $zone_add_source)
    }
}

I've cut out the sections defining adding ports/targets etc as it's quite long.

The input I'm using is

class { 'firewalld':
    enabled          => true,
    zone_create      => ['zone1', 'mgmt', 'backup'],
    zone_add_service => {
        '001' => { 'zone' => 'mgmt', 'service' => 'ssh' },
    },
    zone_add_source  => {
        '001' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.x/24' },
        '002' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.x/24' },
        '003' => { 'zone' => 'mgmt', 'source' => 'INT.x.x.0/24' },
        '004' => { 'zone' => 'backup', 'source' => 'IP.1.x.x/24' },
        '005' => { 'zone' => 'backup', 'source' => 'IP.2.x.0/24' },
        '006' => { 'zone' => 'backup', 'source' => 'IP.3.x.0/24' },
    },
    zone_set_default => 'zone1',
}

I've changed the subnets and zone names for security purposes.

If anyone could please advise on why this behaviour is occurring and how to resolve it, I'd greatly appreciate it.

Note: I've tried both a firewall-cmd --reload and a systemctl restart firewalld.service and get the same result.

Cheers, Amelia

I have a server in a datacenter that serves as an IPA master and VPN server. For simplicity, assume I need to enable the "ipsec" service for VPN, and the "kerberos" service for IPA.

I would like to: 1) Allow traffic from anywhere to access the ipsec ports. 2) Only allow traffic from the private IP space to access the kerberos ports.

This seems easy enough; add a source IP space to the "work" zone, open up "kerberos" in the "work" zone, open up "ipsec" in the "public" zone. However, my interface "eth0" is only attached to the "public" zone. It seems like an interface is only meant to apply to a single zone.

So I have two questions. First, is what I would like to do reasonable? Second, what is the correct usage pattern to accomplish my goals with firewalld? As an example, I know I could accomplish my goals with rich rules, but this sounds like something that should be done using zones.