From 83f4c87139f5e00994c9afdb272af26a2e4d28e3 Mon Sep 17 00:00:00 2001 From: Peter Boy Date: Sep 23 2022 06:25:43 +0000 Subject: Updated and introduced firewall policies instead of rules. --- diff --git a/docs/modules/ROOT/pages/sysadmin-dnsmasq.adoc b/docs/modules/ROOT/pages/sysadmin-dnsmasq.adoc index 3f1e6e3..64a5c39 100644 --- a/docs/modules/ROOT/pages/sysadmin-dnsmasq.adoc +++ b/docs/modules/ROOT/pages/sysadmin-dnsmasq.adoc @@ -4,7 +4,7 @@ Peter Boy; Emmmanuel Seyman [sidebar] **** -Author: Peter Boy (pboy) | Creation Date: 2022-05-14 | Last update: n/a | Related Fedora Version(s): 35,36 +Author: Peter Boy (pboy) | Creation Date: 2022-05-14 | Last update: 2022-09-23 | Related Fedora Version(s): 35,36 **** [abstract] @@ -242,6 +242,8 @@ yes 2. Allowing forwarding from the internal, private network to the external interface and further to the public network. + +a. A commonly used way to accomplish this is to set 'rules' in the firewall configuration. Corresponding tutorials are very widespread. And those who are familiar with it may want to continue using it. ++ [source,] ---- […]# firewall-cmd --get-active-zones @@ -257,6 +259,29 @@ success success ---- +b. Fedora's firewall daemon, however, offers with release 35 and beyond a more elegant option, so-called 'policies'. These abstract typical targets previously configured by rules. ++ +[source,] +---- +[…]# firewall-cmd --get-active-zones +FedoraServer + interfaces: enp1s0 +trusted + interfaces: vbr2s0 enp2s0 +[…]# firewall-cmd --permanent --new-policy trustedToExt + success +[…]# firewall-cmd --permanent --policy trustedToExt --add-ingress-zone trusted + success +[…]# firewall-cmd --permanent --policy trustedToExt --add-egress-zone FedoraServer + success +[…]# firewall-cmd --permanent --policy trustedToExt --set-target ACCEPT + success +[…]# firewall-cmd --reload + success +---- ++ +This method is much clearer, improves maintainability and reduces sources of potential errors. The documentation of the upstream project provides https://firewalld.org/2020/09/policy-objects-introduction[more information]. + == Integrate libvirt's virtual interface In case libvirt and virualization including a virtual network for the virtual machines, libvirt installs and configures its own dnsmasq instance. In most cases it is just convenient, instead of replacing the libvirt _default_ network to integrate it in NetworkManagers dnsmasq plugin. Thus, two instances of dnsmasq operate along each other.