firewalld
When default zone set to drop
What happened
I have 3 special zone for myself(Azone, Bzone and Czone). I wrote some rich rules into these zones. But when i set default zone to public with interfaces(All interfaces added to this zone), all traffic has gone, ACCEPT. Even it doesn't look another created zone(Azone, Bzone and Czone) for rich rules.
After this problem i tried this way: Default zone set to "Drop" from "public". All interfaces added to this zone.
But now it doesn't allow any connections. Why firewalld doesn't look Azone, Bzone and Czone before the drop zone.
I only want to do this : Drop everything but look the rich rules into my created zones. Because i want to accept some source to destination ip addresses and ports into rich rules. Why drop zone crush every other zones?
What you expected to happen
If the zones has priority like alphabetically, zones work with this sequence:
1-Azone 2-Bzone 3-Czone 4-Drop
But it looks to drop zone first of all. And it drops everything without run these rich rules into my zones.
How to reproduce it (as minimally and precisely as possible)
No response
Anything else we need to know?
My architecture shown below:
ServerX ------->> | FIREWALLD SERVER | <<-------- ServerY
Firewalld deamon working on Firewalld Server. And i have some rich rules into Azone, Bzone and Czone like INPUT,FORWARD and OUTPUT chain rules.
Firewalld Version
0.9.3
Firewalld Backend
iptables
Linux distribution
Red Hat Enterprise Linux Release 8.5
Linux kernel version
4.18.0-348.el8.x86_64
Other information
Help
I think it would be useful to review the firewalld concepts.
Most notably these two principles:
- traffic ingresses one and only one zone
- traffic egresses one and only one zone
Until recently the zone dispatch order was basically undefined. If you used interfaces it worked as expected. If you used overlapping sources.. it was less intuitive; it's determined by the zone name.
Zone priorities allow the user to specify the order in which traffic is classified into a zone.
