Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AllowZoneDrifting - Firewalld: What is it and should I disable it?

Tags:

server

vps

centos8

firewalld

I am new here, so please forgive me if I am asking something silly.

I have created a DO droplet on CentOS 8. After installing firewalld, I checked its status and it gives a warning.

Apr 24 05:56:31 centos-s-1vcpu-1gb-blr1-01 firewalld[2956]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release.

I have some basic knowledge of Linux, but I don't have any knowledge about firewalld. If somebody could explain to me what AllowZoneDrifiting is, that would be great.

Thanks!

like image 476
Manohar Bhatia Avatar asked Apr 24 '20 06:04

Manohar Bhatia

People also ask

Should I disable firewalld?

Sometimes, something goes wrong and temporarily disabling Firewalld can help you troubleshoot the problem. Firewalld blocks traffic from most ports by default. For this reason it may be better to configure open ports with firewall-offline- cmd before enabling the firewall on more complex production systems.

What is Allowzonedrifting?

From the manual: Older versions of firewalld had undocumented behavior known as "zone drifting". This allowed packets to ingress multiple zones - this is a violation of zone based firewalls. However, some users rely on this behavior to have a "catch-all" zone, e.g. the default zone.

Can I remove firewalld?

Permanently Disable firewalld To permanently disable the firewall on CentOS 7, you will need to stop the firewall service and then disable it altogether. This is also the same command we used to temporarily stop firewalld. Check firewall status. The output should state that the service is inactive.

1 Answers

No. That is a good question. You can disable it in /etc/firewalld/firewalld.conf. Search for AllowZoneDrifting in this conf and change yes to no.

From the manual:

Older versions of firewalld had undocumented behavior known as "zone drifting". This allowed packets to ingress multiple zones - this is a violation of zone based firewalls. However, some users rely on this behavior to have a "catch-all" zone, e.g. the default zone. You can enable this if you desire such behavior. It's disabled by default for security reasons.

Note: If "yes" packets will only drift from source based zones to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone).

Possible values; "yes", "no". Defaults to "yes".

like image 60
hein sat Avatar answered Sep 19 '22 13:09

hein sat
Sign in to Comment

Related questions

Nginx connect() failed error
Chrome ignores the ETag header and just uses the in memory cache/disk cache
gRPC: What is the recommended way to shut down an asynchronous server in C++?
Android Studio: Client not ready yet
MongoError: Topology is closed, please connect despite established database connection
How to Enable Directory Indexing on GitHub Pages
Ubuntu - nodejs - npm install -g > Error: EACCES: permission denied, mkdir
How to increase message size in grpc using python
BEA-141297 - Could not get the server file lock
nginx keep port number when 301 redirecting
Can Boost ASIO be used to build low-latency applications?
Extract domain name from URL in Python
How to add JBoss Server in Eclipse?
Heroku build failing due to Yarn and npm lockfile conflict
java.lang.IllegalArgumentException: No suitable parent found from the given view. Please provide a valid view
X-Frame-Options in nginx to allow all domains
Generate Swagger Document for existing NodeJS server
Where is the web server root directory in WAMP?
Server side Java - where to start [closed]
new URL() - WHATWG URL API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!