1

I came across to some strange behavior of Firewalls having 3 interfaces and when using permanent assignment rule for interface to zone

after reboot it jumps back to the default zone (which ever is set as default zone in firewalld)

firewall-cmd --permanent --zone=external --add-interface=eno16777736

or 

firewall-cmd --permanent --zone=internal --change-interface=eno16777736

they aren't seem to be working ....

Zaza
  • 127
  • 1
  • 7

4 Answers4

2

It's a bug, you may'd like to visit : https://bugs.centos.org/view.php?id=7526

I found only one way to fix this at this time 

echo "ZONE=what_ever_zone_youd_like" >> /etc/sysconfig/network-scripts/ifcfg-eno16777736

firewall-cmd --complete-reload
systemctl restart firewalld.service

then check it

firewall-cmd --list-all-zones
  • This is not a bug, just normal behavior that some CentOS users were not aware of. NetworkManager decides what firewall zone is to be used for interfaces it manages. – Michael Hampton Dec 07 '16 at 01:33
  • how can NetworkManager decide where I need it to be if let say I'm trying to create loadbalancing... –  Dec 29 '16 at 05:00
0

When the system is using NetworkManager to handle interface configuration (as may be indicated by empty or missing /etc/sysconfig/network-scripts/* directory entries), try the following steps to set the zone via NetworkManager's configuration system:

  1. verify NetworkManager is running: systemctl status NetworkManager
$ systemctl status NetworkManager

● NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
   Active: active (running)
  1. if so, list the connection "profile name" (which may differ from device names) by using: nmcli
$ nmcli

                   vvvvvvvvvvvvvvvvvv "profile name"
eth0: connected to Wired connection 1
        "Red Hat Virtio"
        ethernet (virtio_net),
  1. set the desired "ZONE" with nmcli using the profile name, example:
$ nmcli connection modify "Wired connection 1" connection.zone ZONE

The zone change should be immediately visible via firewall-cmd --get-active-zones and persist across future reboots.

dewydex
  • 1
0

I found how to solve a similar issue with FirewallD, NetworkManager and Docker in CentOS 7.

It seems to be an issue in FirewallD, I reported it here, with a workaround solution to make it work after a reboot: https://github.com/t-woerner/firewalld/issues/195

tiangolo
  • 101
  • 2
0

I was facing the same problems before. In our infrastructure we've realized that sometimes without no reason NetworkManager was putting out of the defined zone some interfaces. (Till that moment we configured zones in interfaces configuration files)

As it obvious, in a production environment this is just UNACCEPTABLE.

How we manage to solve this problem :

  1. Disable NetworkManager
  2. Configure de interface zone in the zone file under /etc/firewalld/zones/*.xml

  3. The syntax is as it follows :

    <interface name="<interface_name>"/>

  4. You'll be able now to restart / reload firewalld without any troubles

Otherwise, I suspect that if you set up your zone with the command below and with Networkmanager disabled and not running it will work just fine

firewall-cmd --zone=<zone_name> --change-interface=<interface_name> --permanent
Abel
  • 322
  • 3
  • 13
  • Actually, I've just tested after executing an update, and the bug in `Networkmanager` that was causing this behavior seams to be solved. – Abel Jan 08 '18 at 13:39