Linux環境に標準で搭載されているファイアウォール「firewalld」で、発生する警告(AllowZoneDrifting~)の対処方法を説明します。
警告メッセージについて
実際に出力される警告メッセージになります。
[root@STKAWX001 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2022-11-02 11:09:02 JST; 35min ago
Docs: man:firewalld(1)
Main PID: 1881 (firewalld)
Tasks: 3 (limit: 11408)
Memory: 24.8M
CGroup: /system.slice/firewalld.service
mq1881 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Nov 02 11:09:02 STKAWX001.localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 02 11:09:02 STKAWX001.localhost systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 02 11:09:02 STKAWX001.localhost firewalld[1881]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Nov 02 11:10:23 STKAWX001.localhost firewalld[1881]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Nov 02 11:11:33 STKAWX001.localhost firewalld[1881]: WARNING: NOT_ENABLED: 8080:tcp
Nov 02 11:12:30 STKAWX001.localhost firewalld[1881]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Nov 02 11:13:41 STKAWX001.localhost firewalld[1881]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Nov 02 11:19:02 STKAWX001.localhost firewalld[1881]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
リンク
対処方法
この警告ですが、firewalldの設定にある「AllowZoneDrifting」が有効になっている状態で、ポートを開放したりすると発生するようです。
なので、AllowZoneDriftingを無効化します。
まず、firewalldの設定ファイルのバックアップを作成します。
[root@STKAWX001 ~]# cp -pv /etc/firewalld/firewalld.conf /etc/firewalld/firewalld.conf.org '/etc/firewalld/firewalld.conf' -> '/etc/firewalld/firewalld.conf.org'
viコマンドで設定ファイルを修正します。
[root@STKAWX001 ~]# vi /etc/firewalld/firewalld.conf
下記のように、「AllowZoneDrifting=yes」をコメントアウトし、「AllowZoneDrifting=no」を追記します。(文字色がピンク色の箇所)
# firewalld config file # default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=public # Clean up on exit # If set to no or false the firewall configuration will not get cleaned up # on exit or stop of firewalld # Default: yes CleanupOnExit=yes # Lockdown # If set to enabled, firewall changes with the D-Bus interface will be limited # to applications that are listed in the lockdown whitelist. # The lockdown whitelist file is lockdown-whitelist.xml # Default: no Lockdown=no # IPv6_rpfilter # Performs a reverse path filter test on a packet for IPv6. If a reply to the # packet would be sent via the same interface that the packet arrived on, the # packet will match and be accepted, otherwise dropped. # The rp_filter for IPv4 is controlled using sysctl. # Default: yes IPv6_rpfilter=yes # IndividualCalls # Do not use combined -restore calls, but individual calls. This increases the # time that is needed to apply changes and to start the daemon, but is good for # debugging. # Default: no IndividualCalls=no # LogDenied # Add logging rules right before reject and drop rules in the INPUT, FORWARD # and OUTPUT chains for the default rules and also final reject and drop rules # in zones. Possible values are: all, unicast, broadcast, multicast and off. # Default: off LogDenied=off # FirewallBackend # Selects the firewall backend implementation. # Choices are: # - nftables (default) # - iptables (iptables, ip6tables, ebtables and ipset) FirewallBackend=nftables # FlushAllOnReload # Flush all runtime rules on a reload. In previous releases some runtime # configuration was retained during a reload, namely; interface to zone # assignment, and direct rules. This was confusing to users. To get the old # behavior set this to "no". # Default: yes FlushAllOnReload=yes # RFC3964_IPv4 # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that # correspond to IPv4 addresses that should not be routed over the public # internet. # Defaults to "yes". RFC3964_IPv4=yes # AllowZoneDrifting # Older versions of firewalld had undocumented behavior known as "zone # drifting". This allowed packets to ingress multiple zones - this is a # violation of zone based firewalls. However, some users rely on this behavior # to have a "catch-all" zone, e.g. the default zone. You can enable this if you # desire such behavior. It's disabled by default for security reasons. # Note: If "yes" packets will only drift from source based zones to interface # based zones (including the default zone). Packets never drift from interface # based zones to other interfaces based zones (including the default zone). # Possible values; "yes", "no". Defaults to "yes". #AllowZoneDrifting=yes AllowZoneDrifting=no
設定ファイルの修正後は、firewalldを再起動します。
[root@STKAWX001 ~]# systemctl restart firewalld
警告メッセージが消えているかを確認します。
[root@STKAWX001 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2022-11-02 11:46:46 JST; 11s ago
Docs: man:firewalld(1)
Main PID: 2136 (firewalld)
Tasks: 2 (limit: 11408)
Memory: 22.3M
CGroup: /system.slice/firewalld.service
mq2136 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Nov 02 11:46:46 STKAWX001.localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 02 11:46:46 STKAWX001.localhost systemd[1]: Started firewalld - dynamic firewall daemon.
無事、警告メッセージが消えていることを確認出来ました。
リンク
コメント