I originally posted this as a question to www.centos.org/forums: <a href="https://www.centos.org/forums/viewtopic.php?f=50&t=48045&sid=289e316d99bc8a55489bb0f79983222c#p204247">https://www.centos.org/forums/viewtopic.php?f=50&t=48045&sid=289e316d99bc8a55489bb0f79983222c#p204247</a> [<a href="https://www.centos.org/forums/viewtopic.php?f=50&t=48045&sid=289e316d99bc8a55489bb0f79983222c#p204247" target="_blank">^</a>]<br />
<br />
I've been trying to learn new centos 7 systemd and firewalld concepts over the past few days and came across this issue today when rebooting my server.<br />
<br />
I had previously setup firewalld to place eth0 and eth1 in the dmz and internal zones respectively w/ the following commands:<br />
<br />
sudo firewall-cmd --permanent --zone=public --remove-interface=eth1<br />
sudo firewall-cmd --permanent --zone=internal --add-interface=eth1<br />
<br />
on reboot I looked at the active zones and saw both devices were back in the public zone. after digging for a while I realized it was due to the following lines in the /etc/sysconfig/network-scripts/ifup-eth and ifup-post scripts:<br />
<br />
# Inform firewall which network zone (empty means default) this interface belongs to<br />
if [ -x /usr/bin/firewall-cmd -a "${REALDEVICE}" != "lo" ]; then<br />
/usr/bin/firewall-cmd --zone="${ZONE}" --change-interface="${DEVICE}" > /dev/null 2>&1<br />
fi<br />
<br />
so this effectively makes any "permanent" zone changes like the one I made above permanent only across firewalld restarts, but not machine restarts or interface up/down cycles.<br />
<br />
I added the ZONE setting to each device's config to fix my issue for now...<br />
<br />
but my question is, why is this done at all? the "default" ZONE value blows away the permanently set value. it seems like the script should at least check the current value of `firewall-cmd --get-zone-of-interface=eth0` and use that over ZONE?<br />
<br />
please let me know if I should report this upstream to bugzilla.redhat.com instead.
↧
