I am new here, so please forgive me if I am asking something silly.
I have created a DO droplet on CentOS 8. After installing firewalld, I checked its status and it gives a warning.
Apr 24 05:56:31 centos-s-1vcpu-1gb-blr1-01 firewalld[2956]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release.
I have some basic knowledge of Linux, but I don’t have any knowledge about firewalld. If somebody could explain to me what AllowZoneDrifiting
is, that would be great.
Thanks!
3
Answers
No. That is a good question. You can disable it in
/etc/firewalld/firewalld.conf
. Search forAllowZoneDrifting
in this conf and change yes to no.From the manual:
firewalld maintainer speaking.
In firewalld, and other zone based firewalls, a packet should ingress one and only one zone. Zone drifting violates that principle.
AllowZoneDrifting
should be disabled if possible (as indicated by the log). Upstream firewalld defaults tono
, but some Linux distributions override it toyes
to preserve existing behavior. Some users rely on the "fall through" behavior even if its correctness is questionable.See the upstream blog for more information and a list of bugs that were the motivation for fixing zone drifting.
FYI Today I performed a clean install of RHEL 8.6 and I noticed in /etc/firewalld/firewalld.conf that AllowZoneDrifting=yes by default.