FirewallD vs. bridge

Hi,

I have Rocky Linux 9 running on a local server with a single NIC. I setup a br0 bridge with enp3s0 as slave. Here’s what this looks like (using ifconfig which has a clearer output than ip):

# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.3  netmask 255.255.255.0  broadcast 192.168.2.255
        ether b0:83:fe:90:4d:64  txqueuelen 1000  (Ethernet)
        RX packets 4257  bytes 65883241 (62.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2542  bytes 228433 (223.0 KiB)
        TX errors 0  dropped 66 overruns 0  carrier 0  collisions 0

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether b0:83:fe:90:4d:64  txqueuelen 1000  (Ethernet)
        RX packets 247330  bytes 362385518 (345.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17165  bytes 1800753 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I’m using FirewallD’s internal zone as default for the local network, and I just wondered. Which interface do I have to associate this zone to ? br0 ? enp3s0 ? Both ?

For the moment I associated both interfaces, so here’s what this looks like :

# firewall-cmd --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: br0 enp3s0
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Any suggestions ?

br0
It has the IP address.

The enp3s0 has no IP config and is a mere “port of a network switch” (i.e. of the br0).

The packets will show on the enp3s0 enroute to the br0, but the enp3s0 will not ask: “Is this for me?”
Hence it does not really matter what rules are there for the enp3s0 (unless they act on lower layer).

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.