CentOS 7.5 firewalld config changes

Support for security such as Firewalls and securing linux
Post Reply
vikinggeek
Posts: 16
Joined: 2011/11/15 17:34:46
Location: Redwood City, California

CentOS 7.5 firewalld config changes

Post by vikinggeek » 2018/05/13 06:58:39

Just did a couple of server upgrades from 7.4 to 7.5. Seems to be working well except for the configuration of interface to zone binding.

In 7.4 and earlier, I included ZONE=<zone name> in the ifcfg-<interface> files in /etc/sysconfig/network-scripts directory. In 7.5 this directive is not taking effect and I have to run e.g.:

Code: Select all

firewall-cmd --permanent --change-zone=eth0 --zone=internal
to bind a zone definition to an interface. This creates an entry in the internal.xml file in the /etc/firewalld/zones directory which I'm not happy with.

It is worth mentioning that our servers do not have NetworkManager installed as we configure all settings via ansible scripts and we use policy based routing extensively. These configurations are done via rule-<interface> and route-<interface> for both IPv4 and IPv6.

Anyone else seeing this change? Is this a change in behavior or a bug?

ricardo.claus
Posts: 47
Joined: 2016/07/04 12:46:08

Re: CentOS 7.5 firewalld config changes

Post by ricardo.claus » 2018/06/06 12:08:21

I'm also going through the same problem. When restarting the server, the firewalld is lost in zone settings. This started happening after I upgraded the system.
Currently Centos is in this version:
CentOS Linux release 7.5.1804 (Core)
Has anyone found a solution to the problem?

User avatar
jlehtone
Posts: 1959
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS 7.5 firewalld config changes

Post by jlehtone » 2018/06/06 13:12:13

How about:

Code: Select all

nmcli -p con mod <connection name> connection.zone internal
Pre-7.5 it was definitely the NM that had to set the zone, not the firewall-cmd. I have not observed "lost zones" due to the update.

ricardo.claus
Posts: 47
Joined: 2016/07/04 12:46:08

Re: CentOS 7.5 firewalld config changes

Post by ricardo.claus » 2018/06/06 13:40:04

thanks for the comment
in my case I do not use the networkmanager
How would the nmcli command for ETH0 home / internal interface be?

User avatar
jlehtone
Posts: 1959
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS 7.5 firewalld config changes

Post by jlehtone » 2018/06/06 20:29:44

Sorry, I use only NetworkManager on CentOS 7. If you don't, then you should not use nmcli, nmtui, or nm-applet. (In fact, I would erase all NM-packages if I would not use it.) Anyway, I cannot tell how network.service and firewalld.service play along, if at all.

Post Reply