firewalld: match which zone by policy

ibotty asked:

I have the following zones that are relevant for this question.

  • SemiTrusted and
  • Public

I want to treat IPSEC-encrypted traffic (that is coming from some specific IP addresses) as belonging to SemiTrusted.

In iptables I would use policy matching to use a semitrusted chain.

How can I achieve this with firewalld. I did not see any mention of policy in the firewalld man pages and did not see how to match based on ipsec policy in firewalld.richlanguage(5).

I assume I can use but I don’t know how to integrate it with the other configuration.

To make it clear, I don’t want to open ipsec ports in zone SemiTrusted. That is trivial.

My answer:

You don’t need a direct rule for this; firewalld already has a service definition for IPsec.

firewall-cmd --zone=SemiTrusted --add-service=ipsec

The definition permits all AH, ESP and UDP port 500 traffic.

You’ll need a second rule if either end has NAT and you need to add UDP port 4500:

firewall-cmd --zone=SemiTrusted --add-port=4500/udp

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.