“Reply with quote” doesn’t quote your quotation of man firewalld.zones but here it is:
How to set or change a zone for a connection?
The zone is stored into the ifcfg of the connection with ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.
For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone.
Only the zone binding is then removed in firewalld then.
Now,
- It is already established that the only interface I have, eth0, is controlled by NetworkManager so only the first two sentences (below the heading) of your quotation apply.
- It is already established that ifcfg-eth0 says that ZONE=work
- The 2nd sentence says that zone can be changed by using n.b. also nm-connection-editor. The implied other methods are mentioned in the section “How to configure or add zones?”, immediately above your quotation, and are firewall-config (graphical) and firewall-cmd (CLI).
So according to man-page I can use either method to change the zone of an interface. Not so! I ran nm-connection-editor and picked Wired connection 1 in the GUI that came up and lo and behold the firewall zone in the first tab was Default and apparently NetworkManager has consistenly acted on this information. So now my findings make sense and mean that the link between firewall-cmd and nm-connection-editor (NetworkManager) is broken and settings done by firewall-cmd are not picked up during boot. Question is why and what to do about it. Ideas anyone?
So using the nm-connection-editor GUI I changed the zone to work and rebooted and now I get:
sudo firewall-cmd --get-active-zones
work
interfaces: eth0
as expected.
So one by one these configuration tools seem to work reagarding the zone setting but they don’t talk to each other.
But there’s more:
Although nfs is enabled in the active zone:
sudo firewall-cmd --zone=work --list-services
ssh dhcpv6-client nfs
my exports:
showmount -e
Export list for k2003734.win.foi.se:
/usr/local ki003685.win.foi.se
/disk2 ki003685.win.foi.se
/opt ki003685.win.foi.se
/home/gostal ki003685.win.foi.se
don’t show on the other machine. It is as if NetworkManager fails also to pick up this information. What do I do about that? The only thing that seems to work so far is to turn the firewall off so it would indicate that allowing nfs in the active zone has no effect.
Cheers,
gostal
