The firewalld service does not allow packet transmission between two different zones

Updated 18 Mar 2024

Environment

Red Hat Enterprise Linux 9

In zone-based firewalls, packets enter only one zone. Implicit packet transmission is the concept violation and can allow traffic or services unexpectedly.

In certain situations, for example, if you run firewalld on a router, packets are no longer allowed to implicitly transfer between two different zones. This behavior change affects configurations that use masquerade in an external zone, public zone, or a secondary internal zone.

You can choose from two solutions to enable traffic forwarding from one zone to another.

Use the trusted zone on the LAN side.
The trusted zone uses the --set-target=ACCEPT option to allow forwarded traffic. Utilities and services, such as podman and libvirt, use this solution.

Use a policy to allow forwarded traffic:

# firewall-cmd --permanent --new-policy masqueradePolicy
# firewall-cmd --permanent --policy masqueradePolicy --add-ingress-zone internal
# firewall-cmd --permanent --policy masqueradePolicy --add-egress-zone external
# firewall-cmd --permanent --policy masqueradePolicy --set-target=ACCEPT

SBR

Networking

Product(s)

Red Hat Enterprise Linux

Category

Learn more

Components

firewalld

Tags

Article Type

General