I've installed both alma and rocky linux (in case something might be different), and I can't seem to get firewalld working.
Code:
[root@alma-router zones]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-12-02 06:31:07 EST; 35min ago
[root@alma-router zones]# firewall-cmd --state
running
[root@alma-router zones]# ip a
[..]
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.111.66/24 brd 192.168.111.255 scope global dynamic noprefixroute ens18
[..]
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 10.10.111.2/24 brd 10.10.111.255 scope global noprefixroute ens19
ens18 is associated with the external zone and ens19 with the internal one:
Code:
[root@alma-router zones]# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: ens18
sources:
services:
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@alma-router zones]# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: ens19
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
there's nothing in the iptables chains (but you can see that packets have traversed the rules):
Code:
[root@alma-router zones]# iptables -vnL
Chain INPUT (policy ACCEPT 1878 packets, 113K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 513 packets, 56552 bytes)
pkts bytes target prot opt in out source destination
[root@alma-router zones]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2758 packets, 295K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3 packets, 747 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 8 packets, 608 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 608 bytes)
pkts bytes target prot opt in out source destination
nftables (if anyone is inclined to reference them, although I think firewalld still uses the iptables command, even if nftables is being used eventually) also doesn't show anything:
Code:
[root@alma-router zones]# nft list table ip filter
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
I remember that in Centos 7 firewalld was also on by default and you could see from the very beginning that there was a structure there.
This has nothing to do with the runtime/permanent rules. I've tested this, nothing changes, only firewalld itself registers.
Any ideas are welcome!
So indeed, firewalld does use nftables directly.
