0

RHEL9 with firewalld 1.2.1 and nftables 1.0.4.

I am trying to understand the default behavior.

Source 10.0.0.0/24 is in custom zone. Target default. Service ssh and port 5000 is set here.

Interface ens01 is in public zone. Target default. Port 9000 is allowed here.

Trying to reach server:9000 from 10.0.0.5 is being rejected at custom zone.

I thought the behavior is that if the custom zone matches the source (10.0.0.5) but doesn't have a rule for the destination port, and target is default, then it should go back to the input chain and check the interface, which is the public zone that should allow port 9000.

But it's just being rejected at the custom zone instead of "default (continue)". Why?

Improve this question
2
  • I looked at nft list ruleset and both filter in public and filter in custom zone have a reject statement in them. This isn't set in my firewalld commands. Is this just the default behavior? Commented Jun 6, 2024 at 18:48
  • I guess this is due to firewalld default zone target behavior now basically reject except for icmp? Commented Jun 6, 2024 at 18:54

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.