Firewall configuration


I have a problem with configuring my firewall:

I have VPS with 2 IP-numbers and I want to have different set of services with different accesses available through different addresses. I have Fedora Server installed, 29 initially, upgraded to 30.

I understand, that firewall-cmd prefers different interfaces, so, I created virtual IF (copy-mody script in /etc/sysconfig/network-scripts/ ).

I have 2 interfaces in ifconfig visible with correct IP-s, firewall-cmd also recognizes, that one of them belongs to one active zone, another to another. BUT – when I add new service to that new virtual-IF zone, then nothing happens. On the same time when I add the same service to original IF, then service starts also from address which is not given to it.

What do I do wrong?

Hello @duneyrr,
Have you checked into this resource for firewalld? My understanding is limited with respect to firewalld, I admit. But what I noticed is it doesn’t really handle the interface specifically, but handles the zones and services of those interfaces. The interfaces themselves (both real and virtual) are handled by networkmanager I understand. If I get a chance later tonight I can try to play around a bit with firewalld and netmanager.

@duneyrr, also please clarify what do you mean in this line.

Address which the service listens to (i.e. with which it starts) has almost nothing to do with firewall configuration.

I mean, let’s say you have IP1 and IP2 on you system. You want postfix service associated with IP1 (and not 2) and httpd service associated with IP2 and not 1.

By default (not always, but usually) both these services will listen to both IP1 and IP2. You can restrict access to them with firewall rules, but they continue to listen on both addresses (getting traffic only from one permitted with the firewall).

If you want to configure postfix to actually listen only on IP1, you have to do it in postfix configuration, not in firewall configuration.

So you actually have two issues here: which address you service listens to (i.e. “starts with”), and which connection your firewall is permitting traffic on for this service.

If you do understand this clearly and you line just confused me – then please forgive me. )

Also if you have two different connections on your VPS then configuring firewalld differently for each of those is very easy. I’ll provide the tips I can, but we need to clear away confusion between services listening on IPs and firewall restricting/permitting traffic to them.

Hi. Thank you. I do understand it. At this moment I did mody for example sshd_config to listen only one IP… I’d still would like to restrict access on firewall level, if it’s possible.

Ok. Do you have two different network interfaces on your VPS?

Yes, I more-or-less read it (not word-by-word… :slight_smile: ).
I had to create virtual interface in order to glue it to the IP-address, because zones are interface-based, not directly address-based.
My guess is, that firewall uses default zone to both connections even it says that it does not. And… I did add ZONE= to the ifcfg-script.
I have suspiction that there is something todo with NetworkManager, because nmcli does not show me my virtual interface. It shows original one with both addresses.

Not really – it’s cloud service with 2 permanent addresses, I can use. That’s why I created virtual interface.

By default recent Fedora (and centos7) do use NetworkManager. I’m not sure if using ifcfg will not conflict/interfere with NM in some way. I’d suggest to try adding the same virtual interface with the use of nmcli or nmtui (text menu based NM interface from package NetworkManager-tui). Though again, I’m not sure, maybe it should see the things you add with ifcfg scripts.

If your non-virtual address has two IP’s associated with it, then I’m not sure if associating one IP with virtual interface will help you (as rules for the real connections would still apply to both IP’s).

No, real interface has only one address (when we talk about network-scripts). Another is only in virtual interface’s script.
I’m not sure how should I say to NM, that there is another interface?

I’ve never done something like this myself so I’m not sure I can help you much. I’ve played with two IPs on one interface on my work machine, played with various zones for various connections.

Aren’t second IP for something like VPN? Is it (physically, so to say) reachable on your main network connection?

Well… I thaught about VPN, but it’s not exactly that. Also it makes me angry that I can’t make it work. I’d like to understand, what’s the problem.

For understanding, I’m again seeing two issues here:

  1. Virtual interface – should we use it with NM or can we use it without NM?

  2. Firewalld with your virtual interface right now – can it work as is or does it need NM to see the interface to work with it?

For the second issue try please following commands:

sudo firewall-cmd --get-zone-of-interface=

then try to press [Tab] several times, it should show you interface names you can use, see if your virtual interface is among suggestions or not. If not – try entering it manually and executing the command.


sudo firewall-cmd --zone=<zone_you_want> --change-interface=<interface_name>

should assign the interface to the specified zone. Without --permanent – for current configuration (until restart or reboot) etc. --permanent makes change permanent, but doesn’t apply it now.


sudo firewall-cmd --get-active-zones

should give you the list of zones in use now with list of connections for each zone.

From firewall-side all seems to be OK – virtual interface is shown in a zone, I want it to belong, for this v-interface it shows correct zone… but in reality it does not work.
From NM side – I do not know. I was hoping to ignore it, configuring just scripts and from ifconfig I see, that everything is also OK, both interfaces are up and running with correct addresses. Just nmcli does not show virtual interface. I speculate that maybe this is the reason, why conf does not work.

This I can say nothing about :frowning:

Couple more hints you can try.

  1. You can play with alike configuration on your own machine (that is, if you have Fedora on your local machine), not cloud one as this way if you manage to completely cut off outside world you can always easily undo it locally.

  2. If you do understand iptables, then you can see and analize your current firewall configuration in iptables’ terms with:

    sudo iptables -S

    You shouldn’t use it to make configuration changes though: you can have only one ruler, it should be either firewalld or iptables, not them, both.

I’m not that good with iptables myself, but looking casually at the output makes me think that maybe rules for physical interface takes precedence in your case, that’s why adding services to zone for physical connection works, when for virtual one does not. I’m not sure with this, Maybe you can understand it better.

I played already a bit with real PC-installed Fedora and got the same problem, trying to do the same thing. But in moment I can also test thing in cloud as there are no production services until I put them… after I get conf right.
About iptables… I have not written them manually, but from logical point of view it seems to be OK as well.

Don’t you agree that from iptables output it looks like incoming packet is judged upon which physical interface did it came from, then sent to appropriate chain (for this connection’s zone)?

If it’s the case, then all incoming packets will be treated with zone of your (one!) physical interface – exactly what you’re seeing, am I right?

-A FORWARD_IN_ZONES -i ens3:0 -g FWDI_history
-A FORWARD_IN_ZONES -i ens3 -g FWDI_FedoraServer
-A FORWARD_OUT_ZONES -o ens3:0 -g FWDO_history
-A FORWARD_OUT_ZONES -o ens3 -g FWDO_FedoraServer

I’m not sure, but it looks ok to me?

These do look ok, and in correct order. But forward chain is for forwarded traffic, input chain is for traffic intended for this machine.

Is input chain similar?

Also please check rules you want (permissions you want) are indeed in the FWDI_history chain or INPUT_history chain and not in the FWDI_FedoraServer or INPUT_FedoraServer.

Also I would check default target for your “history” zone. It should be drop or reject.

One more thought.

I don’t know anything about virtual connections, as I said earlier, but another way to have to IPs is to assign them both to one physical interface. You can do it with NetworkManager, I’ve done this.

In this case if we were using iptables then you could either:

  1. Check for destination IP address in addition to port for incoming packets in each rule.

  2. Make two rules like this If destination IP is IP1 then use chain INCOMING_IP1 and the same for IP2.

    Then in each chain you would accept packets with permitted ports and drop all the other.

I don’t know how to do additional chains in Firewalld. You have something called “rich rules” and also direct configuration in firewalld, maybe one of these can be used.

But maybe there’s a way to implement (1) quite easily. Check man firewalld.service. Service definition can contain destination address. Destination address for incoming traffic should be one of your two IPs.

I usually copy some service.xml file from /usr/lib/firewalld/services/ to /etc/firewalld/services/, rename it to something like my-sshd.xml, then change it to suit my needs – for example change port for sshd from 22 to something else.

then I do

sudo firewall-cmd --add-service=my-sshd --zone=my-zone --permanent
sudo firewall-cmd --remove-service=sshd --zone=my-zone --permanent

Be very careful with changing sshd port in this way on remote host as you can easily cut yourself out!

You can do similar thing and add destination address to service definition.

I can’t test if this works right now, but it’s something to try.

It may also not be the best way to accomplish what you want performance-wise, but it can work.

How about this idea?

Had to be away yesterday…

-A INPUT_ZONES -i ens3:0 -g IN_history
-A INPUT_ZONES -i ens3 -g IN_FedoraServer
-A INPUT_ZONES -g IN_FedoraServer


-N IN_FedoraServer
-N IN_FedoraServer_allow
-N IN_FedoraServer_deny
-N IN_FedoraServer_log
-N IN_history
-N IN_history_allow
-N IN_history_deny
-N IN_history_log

I’m not sure about that default drop-line, but nmap’ing from outside, does show both addresses more or less similar – 22 is opened in one case and just closed in another address, as I ruled it out in sshd conf