[sle-beta] firewalld with subzones

Luiz Angelo Daros de Luca luizluca at tre-sc.jus.br
Mon Apr 9 11:55:27 MDT 2018 

> Sorry for the late response, do you still struggle to get things done with
> firewalld? I’m not a firewalld expert but please give me your latest feedback
> and I will try to help!

Thanks Vicent. I really had no choice but to use rich rules with ipsets. "source zones" will propably need to be rethink as a feature in the future. 
Even ipsets are not ideal as a tool to segment network as I need to readd the same network address on every ipset that includes it. Linux ipsets do supports 
a set of sets, but firewalld ipsets does not. 

What I really miss now is a organized way to group rules and identify them. As the number of rules increase, my rules started to look like Spaghetti code, with many 
rules sharing the same source filter. I know that the result rules in iptables do normally looks like " Spaghetti code", but I has hopping that at the abstraction layer, 
as firewalld is, it would be more organized. 

A way to group rules by source would also make rules much cleaner. In pure iptables, I would use something like this: 

-s 10.1.1.0/24 -j PRODNET 
-s 10.1.2.0/24 -j TESTNET 
-s 10.1.1.0/24 -j SRVNET 
-s 10.1.2.0/24 -j SRVNET 
-j ALLNET 

There is no equivalent for firewalld. Zones cannot be used for that as they, once matched the source, stop the rule processing. 

There is no easy way to have an id for rich rules. I have scripts that add, update, remove firewall rules. 
In order to manipulate a rule, I need to know exactly its arguments. If the script needs to update a rule, it need to keep track of every 
single variation that rule had in the past and that might still be in use, look for each variation and remove it before adding the new 
variation. My solution was to (ab)use logging feature to add an "id" to rules in log prefix. I normally would use iptables comment, 
but rich rules does not have support for them. 

So, since my last email, nothing really changed. I do have an open issue for adding ID to rich rules: 

https://github.com/firewalld/firewalld/issues/308 

For ipset list:set support: 

https://github.com/firewalld/firewalld/issues/324 

And for zone ordering/overlapping, there are already some open issues. 

> Did you take a look at our firewalld documentation?
> https://susedoc.github.io/doc-sle/develop/SLES-security/single-html/#cha.security.firewall

I took a look now (it wasn't avaiable at the time). 

>> I know RHEL aready uses firewalld for some time. However, they kept a
>> iptables-service for when firewalld gets in the way. What can I use with SLE15
>> besides firewalld? SuSEFirewall2? Can I still depend on SuSEFirewall2 during
>> SLE15 suport (even on ServicePacks)?

> Well no SuSEFirewall2 should be removed completely from SLE15.

I have to live with that. 

Regards, 

-- 
Luiz Angelo Daros de Luca 
Tribunal Regional Eleitoral de Santa Catarina 
STI/CSIT/Seção de Comunicação de Dados 
e-mail: luizluca at tre-sc.jus.br 
jabber: luizluca at tre-sc.gov.br 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/sle-beta/attachments/20180409/e30cd689/attachment.htm>

More information about the sle-beta mailing list