2

I have setup a pi running Pi OS 11 as a VPN gateway for my local network using Wireguard & Nftables, that all works fine.

However, I wish to switch over to firewalld to be compatible with docker without using iptables.

What I have so far is this:

  • internal zone: eth0
  • external zone: wg0

I cannot figure out how to get firewalld to forward traffic between eth0 & wg0. With raw nftables I just have the following, my forward chain drops by default:

nft insert rule inet firewall forward iifname "eth0" oifname "wg0" accept
nft insert rule inet firewall forward iifname "wg0" oifname "eth0" ct state related,established accept

But I cannot find out how to conditionally forward between interfaces, as the above rules.

I do not want eth0 in the external zone with wg0 as I want internet access kill-switched if the VPN goes down, plus it sort of goes against the whole idea of zones no? eth0 is just for the LAN & wg0 is for external connectivity.

uhsl_m
  • 123

1 Answers1

3

With firewalld 0.9 and newer, you use firewalld policy objects to control cross-zone forwarding (prior to firewalld 0.9, there wasn't a way to do this).

If you have eth0 bound to your internal zone, and wg0 bound to your external zone, you could use the following series of commands to create a new custom policy, internal2external, and use the policy to accept all new connections forwarded from eth0 to wg0:

firewall-cmd --runtime-to-permanent
firewall-cmd --permanent --new-policy=internal2external
firewall-cmd --permanent --policy=internal2external --set-target=ACCEPT
firewall-cmd --reload
firewall-cmd --policy=internal2external --add-ingress-zone=internal
firewall-cmd --policy=internal2external --add-egress-zone=external

(Firewalld automatically adds blanket rules to accept all established/related forwarded connections, so you don't need to set up anything separately for the reverse path if it only needs to forward already-established connections.)

Justin Ludwig
  • 784