Configuring firewall traffic between two interfaces

Rocky Linux Help & Support
1

Hey everyone!

I was looking for some clarification regarding firewalld configuration to forward/filter traffic between two interfaces on a node.

I have a node with one interface on a public network, and a second interface on a private cluster network. I saw in a previous post on these forums (Configure firewalld for routing traffic between internal and external) that you can use a policy with an ingress and egress zone to accomplish this.

I did a mock of this configuration on my node and have the following:

[]# firewall-cmd --policy=internal-external --list-all
internal-external (active)
  priority: -1
  target: CONTINUE
  ingress-zones: public
  egress-zones: cluster_internal
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

My question is, with this configuration, where do the firewalld rules/filters get applied? I.e. if I want to allow a source coming in from the public interface access to the internal cluster network, would I add that source to the public egress-zone? To the ingress-zone? Both? Let me know if I can provide any further clarification or details about the setup.

–Thanks!

2

First, you can list current ruleset with: sudo nft list ruleset
Store that output (A), make changes with firewall-cmd, store new output (B), and then compare A and B to see how your changes are implemented by FirewallD.

A core concept of FirewallD is zone. It is both a group of machines and rules for that group.

You mention three groups of machines:

  1. Members of internal cluster network
  2. Members of external networks (“sources”) that you want to allow in
  3. Everybody else in external networks

That is three zones. (internal, outstations, public)
You want to allow the internal to open connections to outstations and to public.
You want to allow the outstations to open connections to internal.

The base rules of outstations are probably identical to rules for public.
While the public zone will handle the external interface, the outstations zone will be for listed sources (no interface).