ttrcf wrote:

>
> KBOYLE;56640 Wrote:
> > ttrcf wrote:
> >
> > > My difficulty is how to apply separate rules to the traffic from
> > > the private network that is destined for the router machine via
> > > the adapter in the internal firewall zone

> >
> > That is what I understood.
> >
> > Can you not configure both interfaces as external and then permit
> > specific traffic to/from each interface?
> >
> > --
> > Kevin Boyle - Knowledge Partner
> > If you find this post helpful and are logged into the web interface,
> > please show your appreciation and click on the star below this post.
> > Thank you.

>
> Kevin
>
> Thanks again but I am not sure what you mean by this. If I have both
> NICs in the same zone will they not pickup exactly the same rules?
> Could you perhaps give an example of a firewalld rule that would act
> on traffic between two interfaces in the same zone.



Hi Rob,

I have not worked with SLES 15 so I'm going to let someone else jump in
and offer some suggestions...

I've done a lot of firewall configuration in SLES 11 which uses
SuSEfirewall2 but things have changed in SLES 15.

Have you read the documentation?
https://www.suse.com/documentation/sles-15/index.html

The firewall is mentioned throughout the various documents but the
Security Guide seems to have the most relevant information. See the
section on Masquerading and Firewalls:

https://www.suse.com/documentation/s..._firewall.html


> I was playing yesterday with outbound rules on the external interface
> and managed to block all outgoing traffic except DNS and SSH. This
> worked for traffic from the external zone but did not affect the
> masqueraded traffic from the internal zone, even though it was passing
> through the external interface. Is this expected behaviour?


firewalld appears to be quite different from SuSEfirewall2. Until I
have worked with it I can't say what is expected behaviour.

While you can easily configure rules you have to be careful. Until you
understand all the nuances of the application and the configuration
utility, the rules you define may not produce the results you desire
and may even allow unintentional access.

Most firewall configuration tools use the concept of zones to create a
set of default rules to simplify the configuration. Typically, an
external zone is associated with a public network where all input is
blocked unless it is specifically enabled while an internal zone is
associated with a trusted network where all input is permitted. When
you configure a system to function as a router you want some traffic to
pass from one interface to another. To accomplish this you need to
enable "forwarding" then define rules to permit specific types of
traffic.

My earlier suggestion to put both your interfaces into the external
zone would mean that input form both interfaces would be blocked by
default. You would then have to create rules to define what services on
your server, if any, can be accessed from a specific interface and
additional ruled to permit specific types of traffic to pass from one
interface to the other. How you might do that depends on the specific
firewall configuration tool you are using.

I hope that helps.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.