Firewalld confusion, interface is automatically put back in wrong zone

Ask Fedora
1

Hi all,

I’m new to Fedora, also new to Firewalld. After reading about it, it sounds like a fantastic abstraction, very logical.

So I set about moving my nic to the public zone:

sudo firewall-cmd --zone=public --change-interface=enp114s0 --permanent
The interface is under control of NetworkManager, setting zone to 'public'.
success

That stuff about NetworkManager does not sound good, but alas, things seem to be as expected:

$ sudo firewall-cmd --get-zone-of-interface=enp114s0 
public

I remove all the services I don’t want on public (I’ll enable some on Tailscale later):

sudo firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent 
sudo firewall-cmd --zone=public --remove-service=mdns --permanent

Now we have:

$ sudo firewall-cmd --list-services --zone=public
ssh

Look good!

However, first confusing thing, /usr/lib/firewalld/zones/public.xml still reflects the old state (even after reboot), why is that? Should I ignore this?

$ cat /usr/lib/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mdns"/>
  <service name="dhcpv6-client"/>
  <forward/>
</zone>

The second confusing thing, and I’ve found already that network manager is to blame, after a reboot my nic enp114s0 is back in the FedoraServer zone.

This is scary stuff, I don’t want myself locked out, I also don’t want things I don’t expect on the public interface.

I’ve read that you can disable network manager, but is this really the case? I haven’t found anything on this in the official docs anywhere. I don’t feel comfortable moving forward with firewalld with such types of issues, I really need to know this won’t just reset, ever.

What is the absolute best solution to this that I can put in our internal docs?

I suppose I can just keep using the zone FedoraServer for my nic, but would that mean NetworkManager will not change it? I prefer to fully understand this issues and deal with it thoroughly.

2

The zone setting is indeed controlled by NetworkManager, so that is where it should be changed.

It is possible that --permanent didn’t work as expected, so perhaps you also need to run firewall-cmd --runtime-to-permanent.

1 Like
3

Try

cat /etc/firewalld/zones/public.xml
1 Like
4

Ah yes that matches. Thanx, I guess that overwrites the “defaults” in /usr/lib/firewalld/zones/ then?

5

That command does not change things, I had tried it before and just now confirmed, the zone is reset on reboot. I’ll dig into how NetworkManager messes with zones…

Cockpit will not appear on the Tailnet, firewalld issue?
6

I change DefaultZone=public in /etc/firewalld/firewalld.conf.

1 Like
7

That works!
After reboot it now says:

$ sudo firewall-cmd --get-zone-of-interface=enp114s0 
public

I also tried to change the zone using nmcli:

$ sudo nmcli connection modify enp114s0 connection.zone public
[sudo] password for freek: 
Warning: There are 4 other connections with the name 'enp114s0'. Reference the connection by its uuid '0d77a1dd-95e1-4754-aa41-167dc6da96d9'

I could have entered that uuid, but I like your suggestion better. I’ll keep an eye on it to see if it “sticks”.

Thanx.