Hello, as 42.3 is EOLling, we started installing the first servers with 15.1 and were very astonished by the new firewall setup.
Our machines sit in a datacenter (server only) with only one interface with a static IP.
We need http, https and ssh open to external of course, no problem.
But then, machine A needs to allow access to postgres port 5432 for (from) machine B (replication slave) ONLY.
And machine A und B need to allow access to zabbix 10050 for (from) machine C ONLY.
so a couple of quesions there:
Since there is no “Custom Rules” option in yast-firewall anymore, I can’t set this up in yast (only), right ?
How would I do this in firewalld conceptually ? Delete the default zones except external and trusted, somehow define zone “trusted” to be “source IP” A, B, C for the hosts ?
How would I do actually do this ? Edit the zones xml definitions I read somehow ?
(I realize this is RTFM, but I don’t know what FM to R yet
does firewalld with the new yast-firewall make sense at all in this setup ?
or is another approach (ufw, firewall-builder, you-tell-me …) better suited for the server-in-datacenter situation.
(not too keen on using iptables directly, though)
But then, machine A needs to allow access to postgres port 5432 for (from) machine B (replication slave) ONLY.
And machine A und B need to allow access to zabbix 10050 for (from) machine C ONLY.
Rich rules are your friend here. Assuming all hosts have single interface assigned to public zone (by default). On host A, add a rich rule like this (with host B’s IP address)…
if all I’ll ever use is one zone “external” (or public), I’d rather delete the other ones from the config, so as to avoid mistakes.
but it seems that is not so easy?
many thanks for your efforts!
we discussed this through and realized that all we really need is the “custom rules” that yast-firewall no longer provides.
so we uninstalled firewalld and yast-firewall, and installed ufw
using firewall-cmd adds complexity to the configuration command syntax over ufw, without any benefit that we could see for our use case.