AllowZoneDrifting - Firewalld: What is it and should I disable it?

Question

I am new here, so please forgive me if I am asking something silly.

I have created a DO droplet on CentOS 8. After installing firewalld, I checked its status and it gives a warning.

Apr 24 05:56:31 centos-s-1vcpu-1gb-blr1-01 firewalld[2956]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release.

I have some basic knowledge of Linux, but I don't have any knowledge about firewalld. If somebody could explain to me what AllowZoneDrifiting is, that would be great.

Thanks!

Answer 1

No. That is a good question. You can disable it in /etc/firewalld/firewalld.conf. Search for AllowZoneDrifting in this conf and change yes to no.

From the manual:

Older versions of firewalld had undocumented behavior known as "zone drifting". This allowed packets to ingress multiple zones - this is a violation of zone based firewalls. However, some users rely on this behavior to have a "catch-all" zone, e.g. the default zone. You can enable this if you desire such behavior. It's disabled by default for security reasons.

Note: If "yes" packets will only drift from source based zones to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone).

Possible values; "yes", "no". Defaults to "yes".