AllowZoneDrifting - Firewalld: What is it and should I disable it?

Asked 24/4, 2020 at 6:19 Answered 9/9, 2022 at 17:40

I am new here, so please forgive me if I am asking something silly.

I have created a DO droplet on CentOS 8. After installing firewalld, I checked its status and it gives a warning.

Apr 24 05:56:31 centos-s-1vcpu-1gb-blr1-01 firewalld[2956]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release.

I have some basic knowledge of Linux, but I don't have any knowledge about firewalld. If somebody could explain to me what AllowZoneDrifiting is, that would be great.

Thanks!

Heteropterous answered 24/4, 2020 at 6:19 Comment(0)

No. That is a good question. You can disable it in /etc/firewalld/firewalld.conf. Search for AllowZoneDrifting in this conf and change yes to no.

From the manual:

Older versions of firewalld had undocumented behavior known as "zone drifting". This allowed packets to ingress multiple zones - this is a violation of zone based firewalls. However, some users rely on this behavior to have a "catch-all" zone, e.g. the default zone. You can enable this if you desire such behavior. It's disabled by default for security reasons.

Note: If "yes" packets will only drift from source based zones to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone).

Possible values; "yes", "no". Defaults to "yes".

Exegetics answered 10/5, 2020 at 19:4 Comment(4)

I’ve fixed this for you, but in the future always be sure to make it clear what content is a quote, and provide a citation for it. – Engrain 12/5, 2020 at 6:30

Thank you. I will try it in future. – Exegetics 12/5, 2020 at 12:15

After that change firewall-cmd --reload was not enough for me, I had to systemctl restart firewalld Centos 7 – Bauske 4/6, 2021 at 19:53

If this is insecure _and_deprecated, why is this set as the default configuration? Does setting it to "no" break any typical or default configurations? – Conner 9/8, 2021 at 15:22

firewalld maintainer speaking.

In firewalld, and other zone based firewalls, a packet should ingress one and only one zone. Zone drifting violates that principle.

AllowZoneDrifting should be disabled if possible (as indicated by the log). Upstream firewalld defaults to no, but some Linux distributions override it to yes to preserve existing behavior. Some users rely on the "fall through" behavior even if its correctness is questionable.

See the upstream blog for more information and a list of bugs that were the motivation for fixing zone drifting.

Cavafy answered 7/12, 2021 at 14:31 Comment(0)

FYI Today I performed a clean install of RHEL 8.6 and I noticed in /etc/firewalld/firewalld.conf that AllowZoneDrifting=yes by default.

Instrumentality answered 9/9, 2022 at 17:40 Comment(2)

check status using "systemctl -l status firewalld" and it will probably suggest to you that you should consider disabling it: "WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now." – Cranach 20/10, 2022 at 17:59

It's default in RHEL8, as a default will not be changed within a Majorversion. Check access.redhat.com/articles/4855631 for further information. – Earthward 6/5, 2023 at 12:50

Recommended topics

Hot tags