RL9.3 firewalld 2 zones

We are setting up a new firewall based on RL9.3. Two interfaces, inside and outside. We put outside in the external zone, and inside in the internal zone. This means that external zone does the masquerading.

This setup works fine on another firewall running RL8.x.

If we setup a DNS server on the RL9.3 firewall, it accepts connections and answers the queries. But traffic like icmp going in to inside and then out to outside fails, see below for network traffic

22:42:35.760684 IP 172.16.1.202 > 1.1.1.1: ICMP echo request, id 7, seq 1, length 64

22:42:35.760703 IP 172.16.1.254 > 172.16.1.202: ICMP host 1.1.1.1 unreachable - admin prohibited filter, length 92

22:42:36.772378 IP 172.16.1.202 > 1.1.1.1: ICMP echo request, id 7, seq 2, length 64

22:42:36.772390 IP 172.16.1.254 > 172.16.1.202: ICMP host 1.1.1.1 unreachable - admin prohibited filter, length 92

Failing firewall config below:-

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: outside
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens1f0 inside
  sources: 
  services: dhcp dns http https mdns ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Working RL8.x firewall config:-

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: outside
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: inside
  sources: 
  services: dhcp http mdns ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Any ideas would be appreciated

You may need some extra steps, these are the steps I used and posted here: Firewalld/NetworkManager Internet Routing Not working in Rocky Linux 9.x - #13 by iwalker the steps relating to the policy.

FirewallD in el9 does finally support router-type firewalls “for real”.
The support differs from earlier and is called Policy Objects.

However, the FirewallD in el8 does have policy objects too. Considering that el8 and el9 FirewallD are based on upstream 0.9.11 and 1.2.5, respectively, it is likely that the latter has older behaviour “cleaned out”.

Note that one can use Ansible to configure FirewallD: Chapter 12. Configuring firewalld by using RHEL System Roles Red Hat Enterprise Linux 9 | Red Hat Customer Portal
The rhel-system-roles.firewall seems to have some support for “policies”.

With Ansible playbooks and inventories (or other configuration management system) one has a machine actionable, i.e. deployable, logical copy of config that could be stored (and developed) with version control and outside of the system.


Considering that you will setup relatively static(?) firewall device, you could consider the use of nftables.service instead of firewalld.service. Chapter 13. Getting started with nftables Red Hat Enterprise Linux 9 | Red Hat Customer Portal

Appreciate the quick replies, the posts have indeed pointed me in the right direction, after configuring the policy the new firewall is forwarding the traffic as expected. Thank you.

1 Like