1 Topic by maxomomo

  • maxomomo
  • Member
  • Offline
  • Registered: 2017-01-29
  • Posts: 7

Topic: centos firewalld

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PQSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hello,

i installed your 0.9.6 Version on an scaleway VPS Instance and have some newbie Questions regarding  the centos firewall:

i issued following commands:

    firewall-cmd --get-default-zone

result:
    iredmail

command:
    firewall-cmd --zone=iredmail --list-all

result:
    iredmail
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: http https imap imaps pop3 pop3s smtp ssh submission
    ports:
    protocols:
    masquerade: no
    forward-ports:
    sourceports:
    icmp-blocks:
    rich rules:

So my question is, why isn't any interface listed for the zone iredmail? I'd have assumed that the primary interface (ethx) gets listed with above command.

in Fact:
    firewall-cmd --get-active-zones

result: empty.

Is this some problem with the scaleway kind of networking, where they have a private and a public ip or something? (ifconfig only shows l0 and ethx, with the private ip 10.x.x.x).

Do i have to add ethx manually to the zone iredmail, or are there any other required steps to make sure the firewall works as designed?

Thanks for any comment,

Best regards,

Max

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: centos firewalld

maxomomo wrote:

So my question is, why isn't any interface listed for the zone iredmail? I'd have assumed that the primary interface (ethx) gets listed with above command.

Why do we need to list interface names?

maxomomo wrote:

in Fact:
    firewall-cmd --get-active-zones

result: empty.

Did you reboot server after iRedMail installation?

3 Reply by maxomomo

  • maxomomo
  • Member
  • Offline
  • Registered: 2017-01-29
  • Posts: 7

Re: centos firewalld

ZhangHuangbin wrote:
maxomomo wrote:

So my question is, why isn't any interface listed for the zone iredmail? I'd have assumed that the primary interface (ethx) gets listed with above command.

Why do we need to list interface names?

maxomomo wrote:

in Fact:
    firewall-cmd --get-active-zones

result: empty.

Did you reboot server after iRedMail installation?

Of course i rebooted after installation.

I am a firewalld newbie and trying to understand how things are implemented.

First thing i noticed: no interfaces listed. this worried me because in all firewalld-tutorials i found, the interfaces are definitely listed when querying zone details.

Even more worrying: firewall-cmd --get-active-zones showing no active zones.

What i tried to do now:
I added manually eth to the default zone (which is iredmail):

    firewall-cmd --add-interface=eth0 --permanent

after i did that, 'firewall-cmd --get-active-zones' is showing:

    iredmail
        interfaces: eth0

So my question remains: Is it necessary to add ethernet interfaces manually to the iredmail zone when using iredmail on centos?

Because without manual adding, it seems there is no active zone displayed, and therefore i assumed, that there is in fact no firewall active.

After adding the interface manually, the firewall-cmd outputs seem to be correct.

Max

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: centos firewalld

Is firewalld service running after system reboot?
Without particular interface name, it applies to all interfaces.

5 Reply by maxomomo (edited by maxomomo 2017-02-02 05:59:30)

  • maxomomo
  • Member
  • Offline
  • Registered: 2017-01-29
  • Posts: 7

Re: centos firewalld

ZhangHuangbin wrote:

Is firewalld service running after system reboot?
Without particular interface name, it applies to all interfaces.

Are you sure about that?
http://serverfault.com/questions/748946 … tive-zones

Without manually adding an interface, i didn't get any active zone shown.

and that is making me at least uncomfortable. if it's default to bind to all interfaces, then why is it not shown when asking for the acive zones with firewall-cmd --get-active-zones?
is this a bug of firewalld or a misinterpretation of the default behaviour?

And yes, firewalld is running after restart.

Max.