Firewalld issues

[christianhilbrands]

When i run the ansible playbook to setup/modify the awx 11.2.0 the firewalld gets the config of the networkmanager. This config lets everyone in but i want to block everyone and let only a few sources in.

What i have tried so far:

1. add manual sources and reload(did not work)
2. make manual zone and add them(did not work)
3. adjusted podman playbook to create custom zone(did not work)
4. added sources in step 3(did not work)

It looks like the network scripts prefents me from overwriting the manual firewalld config? I read on the internet that i should try something with ifcfg-post? link: https://firewalld.org/documentation/zone/connections-interfaces-and-sources.html I don't have idea's left, maybe you have idea's?

Kind regards, Christian Hilbrands

[ikke-t]

Hard to tell what was wrong as you didn't provide samples. However, you would likely need to modify your default zone to drop all, and add a zone which allows from given ip addresses.

If you have Red Hat subscription, read this:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-and-configuring-firewalld_securing-networks#using-zones-to-manage-incoming-traffic-depending-on-a-source_using-and-configuring-firewalld

If not, try this: https://unix.stackexchange.com/questions/159873/whitelist-source-ip-addresses-in-centos-7

[christianhilbrands]

Thanks for the comment, i already have changed the podman playbook so that the ports get to a different zone. I think i need to set the default zone to drop(i have not tried that yet). But i think i am going to setup a new awx with version 13 where i will add that what you mentioned.

[cfelder]

May I can cite something I discussed in May on the podman mailing list here

Thanks for pointing that out. When changing the default policy to DROP (using iptables -P FORWARD DROP) the traffic is blocked as expected. Using iptables is deprecated in RHEL/CentOS 8 and unfortunately the default policy for firewalld is hard-wired to ACCEPT as it has another concept of using zones which I tried without success in this use-case so far. Note: The CNI is added to trusted zone by default.

I think I’ll stick to the approach not publishing any services to all interfaces which should not be exposed world-wide. When using this internally I can still bind to loopback (127.0.0.1) and use ssh-tunnelling to get access to that service as intended.

Thus I don’t need to fiddle too much with the firewalld configs in this scenario.

Thanks a lot for your great advice. I hope this is beneficial for someone else stumbling across this.

Hope this helps

[christianhilbrands]

This help's a lot. Thanks for the advice @cfelder