|
 |
b8221b |
From 78060c945be591b4fe8a1b0d3f206585d3948676 Mon Sep 17 00:00:00 2001
|
|
|
b8221b |
From: Eric Garver <eric@garver.life>
|
|
|
b8221b |
Date: Fri, 2 Jul 2021 11:19:18 -0400
|
|
|
b8221b |
Subject: [PATCH 37/50] docs(firewall-*cmd): client conntrack helpers must use
|
|
|
b8221b |
a policy
|
|
|
b8221b |
|
|
|
b8221b |
Fixes: rhbz 1899933
|
|
|
b8221b |
Fixes: rhbz 1975484
|
|
|
b8221b |
(cherry picked from commit adb4ccd88e6c1fd460c9c674d89fdf89299c3970)
|
|
|
b8221b |
(cherry picked from commit 8cd0da7032080ada6b80b7f97faec6a30a8d45f5)
|
|
|
b8221b |
---
|
|
|
b8221b |
doc/xml/firewall-cmd.xml.in | 17 +++++++++++++++++
|
|
|
b8221b |
doc/xml/firewall-offline-cmd.xml | 17 +++++++++++++++++
|
|
|
b8221b |
2 files changed, 34 insertions(+)
|
|
|
b8221b |
|
|
|
b8221b |
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
|
|
|
b8221b |
index 691117f3dbff..8cd67e388ef5 100644
|
|
|
b8221b |
--- a/doc/xml/firewall-cmd.xml.in
|
|
|
b8221b |
+++ b/doc/xml/firewall-cmd.xml.in
|
|
|
b8221b |
@@ -634,6 +634,23 @@
|
|
|
b8221b |
<para>
|
|
|
b8221b |
The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
|
|
|
b8221b |
</para>
|
|
|
b8221b |
+ <para>
|
|
|
b8221b |
+ <emphasis role="bold">Note</emphasis>: Some services define connection tracking helpers.
|
|
|
b8221b |
+ Helpers that may operate in client mode (e.g. tftp) must be added to an
|
|
|
b8221b |
+ outbound policy instead of a zone to take effect for clients. Otherwise
|
|
|
b8221b |
+ the helper will not be applied to the outbound traffic. The related
|
|
|
b8221b |
+ traffic, as defined by the connection tracking helper, on the return
|
|
|
b8221b |
+ path (ingress) will be allowed by the stateful firewall rules.
|
|
|
b8221b |
+ </para>
|
|
|
b8221b |
+ <para>
|
|
|
b8221b |
+ An example of an outbound policy for connection tracking helpers:
|
|
|
b8221b |
+ <programlisting>
|
|
|
b8221b |
+# firewall-cmd --permanent --new-policy clientConntrack
|
|
|
b8221b |
+# firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
|
|
|
b8221b |
+# firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
|
|
|
b8221b |
+# firewall-cmd --permanent --policy clientConntrack --add-service tftp
|
|
|
b8221b |
+ </programlisting>
|
|
|
b8221b |
+ </para>
|
|
|
b8221b |
</listitem>
|
|
|
b8221b |
</varlistentry>
|
|
|
b8221b |
|
|
|
b8221b |
diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
|
|
|
b8221b |
index 92ec55be4623..8e2dd7989956 100644
|
|
|
b8221b |
--- a/doc/xml/firewall-offline-cmd.xml
|
|
|
b8221b |
+++ b/doc/xml/firewall-offline-cmd.xml
|
|
|
b8221b |
@@ -722,6 +722,23 @@
|
|
|
b8221b |
<para>
|
|
|
b8221b |
The service is one of the firewalld provided services. To get a list of the supported services, use <command>firewall-cmd --get-services</command>.
|
|
|
b8221b |
</para>
|
|
|
b8221b |
+ <para>
|
|
|
b8221b |
+ <emphasis role="bold">Note</emphasis>: Some services define connection tracking helpers.
|
|
|
b8221b |
+ Helpers that may operate in client mode (e.g. tftp) must be added to an
|
|
|
b8221b |
+ outbound policy instead of a zone to take effect for clients. Otherwise
|
|
|
b8221b |
+ the helper will not be applied to the outbound traffic. The related
|
|
|
b8221b |
+ traffic, as defined by the connection tracking helper, on the return
|
|
|
b8221b |
+ path (ingress) will be allowed by the stateful firewall rules.
|
|
|
b8221b |
+ </para>
|
|
|
b8221b |
+ <para>
|
|
|
b8221b |
+ An example of an outbound policy for connection tracking helpers:
|
|
|
b8221b |
+ <programlisting>
|
|
|
b8221b |
+# firewall-cmd --new-policy clientConntrack
|
|
|
b8221b |
+# firewall-cmd --policy clientConntrack --add-ingress-zone HOST
|
|
|
b8221b |
+# firewall-cmd --policy clientConntrack --add-egress-zone ANY
|
|
|
b8221b |
+# firewall-cmd --policy clientConntrack --add-service tftp
|
|
|
b8221b |
+ </programlisting>
|
|
|
b8221b |
+ </para>
|
|
|
b8221b |
</listitem>
|
|
|
b8221b |
</varlistentry>
|
|
|
b8221b |
|
|
|
b8221b |
--
|
|
|
b8221b |
2.27.0
|
|
|
b8221b |
|