firewalld: match which zone by policy

Question

I have the following zones that are relevant for this question.

SemiTrusted and
Public

I want to treat IPSEC-encrypted traffic (that is coming from some specific IP addresses) as belonging to SemiTrusted.

In iptables I would use policy matching to use a semitrusted chain.

How can I achieve this with firewalld. I did not see any mention of policy in the firewalld man pages and did not see how to match based on ipsec policy in firewalld.richlanguage(5).

I assume I can use firewalld.direct(5) but I don't know how to integrate it with the other firewalld.zone(5)-based configuration.

edit: To make it clear, I don't want to open ipsec ports in zone SemiTrusted. That is trivial.

dedicated machine. It's a ipsec host2host setup for now, but that will change. — ibotty, Jul 02 '15 at 11:55

score 1 · Answer 1 · answered Jul 02 '15 at 15:17

1

You don't need a direct rule for this; firewalld already has a service definition for IPsec.

firewall-cmd --zone=SemiTrusted --add-service=ipsec

The definition permits all AH, ESP and UDP port 500 traffic.

You'll need a second rule if either end has NAT and you need to add UDP port 4500:

firewall-cmd --zone=SemiTrusted --add-port=4500/udp

answered Jul 02 '15 at 15:17

Michael Hampton

244,070
43
506
972

I don't think that answers my question. I want every traffic coming to the host via ipsec to be treated as being in zone SemiTrusted. What you described opens the ipsec ports in zone SemiTrusted, right? – ibotty Jul 03 '15 at 07:09
Are you using tunnel mode or transport mode? And generally you can just let the ipsec daemon handle adding the firewall rules. – Michael Hampton Jul 03 '15 at 07:14
For now I am using transport mode, but I will add a tunnel connection later. I know that the ipsec daemon will usually add some firewall rules, but the problem is _not_ that ipsec doesn't work. It does. The problem is how to tell firewalld to e.g. allow a service only to ipsec-connected hosts (ensure traffic is encrypted). I know how to do that with iptables, but I'd like to integrate it with FirewallD zones. – ibotty Jul 03 '15 at 07:35

score 0 · Answer 2 · answered Mar 15 '20 at 01:52

I've done similar thing with intermediate zone:

# first allow 500/udp, 4500/udp, AH and ESP on incoming interface
firewall-cmd --permanent --zone=public --add-service=ipsec

# traffic from our specific IPs
firewall-cmd --permanent --new-zone=OurIps
firewall-cmd --permanent --zone=OurIps --add-source=a.b.c.d/29

# little hack to ensure zone SemiTrusted active and relevant chains are in iptables
firewall-cmd --permanent --new-ipset=empty --type=hash:ip
firewall-cmd --permanent --new-zone=SemiTrusted
firewall-cmd --permanent --zone=SemiTrusted --add-source=ipset:empty

# rule to forward incoming IPsec traffic from OurIps zone to SemiTrusted zone
firewall-cmd --permanent --direct --add-rule ipv4 filter IN_OurIps 0 -m policy --pol ipsec --dir in -g IN_SemiTrusted

# and... have fun
firewall-cmd --reload

Of course, you can manage IPs in OurIps via explicit subnets or ipsets.

firewalld: match which zone by policy

2 Answers2