37

I am new here, so please forgive me if I am asking something silly.

I have created a DO droplet on CentOS 8. After installing firewalld, I checked its status and it gives a warning.

Apr 24 05:56:31 centos-s-1vcpu-1gb-blr1-01 firewalld[2956]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release.

I have some basic knowledge of Linux, but I don't have any knowledge about firewalld. If somebody could explain to me what AllowZoneDrifiting is, that would be great.

Thanks!

mybrave
  • 1,662
  • 3
  • 20
  • 37
Manohar Bhatia
  • 371
  • 1
  • 3
  • 5

3 Answers3

37

No. That is a good question. You can disable it in /etc/firewalld/firewalld.conf. Search for AllowZoneDrifting in this conf and change yes to no.

From the manual:

Older versions of firewalld had undocumented behavior known as "zone drifting". This allowed packets to ingress multiple zones - this is a violation of zone based firewalls. However, some users rely on this behavior to have a "catch-all" zone, e.g. the default zone. You can enable this if you desire such behavior. It's disabled by default for security reasons.

Note: If "yes" packets will only drift from source based zones to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone).

Possible values; "yes", "no". Defaults to "yes".

Community
  • 1
  • 1
hein sat
  • 479
  • 3
  • 4
  • 1
    I’ve fixed this for you, but in the future always be sure to make it clear what content is a quote, and provide a citation for it. – Jeremy Caney May 12 '20 at 06:30
  • Thank you. I will try it in future. – hein sat May 12 '20 at 12:15
  • 2
    After that change `firewall-cmd --reload` was not enough for me, I had to `systemctl restart firewalld` Centos 7 – dstonek Jun 04 '21 at 19:53
  • 4
    If this is insecure _and_deprecated, why is this set as the default configuration? Does setting it to "no" break any typical or default configurations? – cazort Aug 09 '21 at 15:22
9

firewalld maintainer speaking.

In firewalld, and other zone based firewalls, a packet should ingress one and only one zone. Zone drifting violates that principle.

AllowZoneDrifting should be disabled if possible (as indicated by the log). Upstream firewalld defaults to no, but some Linux distributions override it to yes to preserve existing behavior. Some users rely on the "fall through" behavior even if its correctness is questionable.

See the upstream blog for more information and a list of bugs that were the motivation for fixing zone drifting.

erig
  • 131
  • 1
  • 3
0

FYI Today I performed a clean install of RHEL 8.6 and I noticed in /etc/firewalld/firewalld.conf that AllowZoneDrifting=yes by default.

Eric Bos
  • 1
  • 1
  • check status using "systemctl -l status firewalld" and it will probably suggest to you that you should consider disabling it: "WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now." –  Oct 20 '22 at 17:59
  • It's default in RHEL8, as a default will not be changed within a Majorversion. Check https://access.redhat.com/articles/4855631 for further information. – knumskull May 06 '23 at 12:50