skip to Main Content

I am new here, so please forgive me if I am asking something silly.

I have created a DO droplet on CentOS 8. After installing firewalld, I checked its status and it gives a warning.

Apr 24 05:56:31 centos-s-1vcpu-1gb-blr1-01 firewalld[2956]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release.

I have some basic knowledge of Linux, but I don’t have any knowledge about firewalld. If somebody could explain to me what AllowZoneDrifiting is, that would be great.

Thanks!

3

Answers


  1. No. That is a good question. You can disable it in /etc/firewalld/firewalld.conf. Search for AllowZoneDrifting in this conf and change yes to no.

    From the manual:

    Older versions of firewalld had undocumented behavior known as "zone drifting". This allowed packets to ingress multiple zones – this is a violation of zone based firewalls. However, some users rely on this behavior to have a "catch-all" zone, e.g. the default zone. You can enable this if you desire such behavior. It’s disabled by default for security reasons.

    Note: If "yes" packets will only drift from source based zones to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone).

    Possible values; "yes", "no". Defaults to "yes".

    Login or Signup to reply.
  2. firewalld maintainer speaking.

    In firewalld, and other zone based firewalls, a packet should ingress one and only one zone. Zone drifting violates that principle.

    AllowZoneDrifting should be disabled if possible (as indicated by the log). Upstream firewalld defaults to no, but some Linux distributions override it to yes to preserve existing behavior. Some users rely on the "fall through" behavior even if its correctness is questionable.

    See the upstream blog for more information and a list of bugs that were the motivation for fixing zone drifting.

    Login or Signup to reply.
  3. FYI Today I performed a clean install of RHEL 8.6 and I noticed in /etc/firewalld/firewalld.conf that AllowZoneDrifting=yes by default.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search