Page 1 of 1

Port forwarding and outgoing traffic

Posted: 2017/11/15 01:36:05
by wlnx
Hello.
I have the following configuration on my gateway:

Code: Select all

[root@gw server]# uname -a
Linux gw 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@gw server]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
[root@gw server]# firewall-cmd --version
0.4.4.4

[root@gw server]# firewall-cmd --get-active-zones
public
  interfaces: ens160
trusted
  interfaces: ens192

[root@gw server]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: ssh dhcpv6-client openvpn
  ports:
  protocols:
  masquerade: yes
  forward-ports: port=443:proto=tcp:toport=:toaddr=10.128.5.200
  source-ports:
  icmp-blocks:
  rich rules:

[root@gw server]# firewall-cmd --zone=trusted --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


Thus, when I go to https://ext-ip, I see published resource (https://10.128.5.200). But I have the following issue: when I try to https from trusted network (ex. https://google.com), I also see https://10.128.5.200. It seems that firewalld port-forwards outgoing traffic. I tried to RTFM and google the situation, but the only thing I found was an issue at firewalld's github (https://github.com/firewalld/firewalld/issues/258).
Could you please tell me if this is a bug or I do something wrong (and how to do it right, yes)?
Thanks a lot in advance.