search

linux-system-roles / firewall

Configure firewalld and system-config-firewall
https://linux-system-roles.github.io/firewall/
GNU General Public License v2.0
57 stars 32 forks source link

forward_ports not persistent #234

Open rlenferink opened 3 weeks ago

rlenferink commented 3 weeks ago

What happened:

I am using the firewall role with the following definition:

firewall:
  # Wipe existing config and replace with the config defined below.
  - previous: replaced

  # For some reason the cockpit and dhcpv6-client are enabled by default.
  # Explicitly disable them.
  - service:
      - cockpit
      - dhcpv6-client
    state: disabled

  # Only allow the ports below.
  - zone: public
    state: enabled
    permanent: true
    interface: ens18
    services:
      - ssh
    port:
        # Web ports
      - '80/tcp'    # HTTP
      - '443/tcp'   # HTTPS

    # NOTE: For some reason the forward_ports are not persistent. When making changes always make them persistent manually using:
    #   firewall-cmd --runtime-to-permanent
    masquerade: true
    forward_port:
      - port: 1194
        proto: udp
        toaddr: 192.168.1.1
        toport: 1195

      - port: 16001
        proto: tcp
        toaddr: 192.168.1.21  # nas.loc (Video Station HTTPS)
        toport: 16001

What you expected to happen:

I expected because of the permanent flag that the forward_ports would also be persistent. The rest of the firewall configuration is persistent (if no forward_ports are specified), however when forward_ports are specified, the configuration is lost after a reboot of the target node.

I verified this with firewall-cmd --list-all-zones. It seems that the forward_ports are gone, and if there is a forward_port specified that the 'normal' ports are also gone.

How to reproduce it (as minimally and precisely as possible):

Use e.g. the snipped above.

Anything else we need to know?:

Environment: