jprorama
commented
8 years ago The incoming connections from all source ports are easy to configure, simply add the ports to the public zone.
The restricted access ports require using a custom zone. This is because a source restriction applies to zones as whole. This could either be done by defining an dedicated zone for the globus services or using the "trusted" zone, since there are only two unique IPs and two ports of interest.
The dedicated zone is appealing because it allows fine tuning the source for just these services and can be structured to add any other source to a specific service, but it doesn't look like the firewalld module supports creating zones.
Using the trusted zone is appealing because it's an default zone and has a prescribed function. The downside is that all ports and all sources are grouped into the same zone, even if those source-port combinations don't make sense or shouldn't be allowed.
An alternative is to use rich rules. This approach is more like traditional iptables management were a configuration line fully describes the source+port accept rule and rich rules are supported in the firewalld module. The downside is that it backs a source ip restriction into the public zone, which conflicts with function of zones in firewalld.
The preference here is to use a dedicated zone so that explicit rules can be put in place and narrowly tuned to the services.
The DTN nodes require an enhanced set of firewall rules to support multiple gridftp data channels, crontrol channels from globus.org and authentication services.
CentOS7 firewalld so will try to maximize use of ansible firewalld support.