Re: firewalld does not allow outbound traffic when masquerading.
On Sat, 20 Sep 2025 21:16:00 -0600
Charles Curley <charlescurley@charlescurley.com> wrote:
> I just installed trixie on my firewall. I have port forwarding set up,
> running and tested from the outside. I can access services on the
> server from the internal network, such as DNS. So far so good.
>
> What I do not have is outbound traffic getting through to the outside
> world. Neither tcp nor icmp work.
>
> This is the interface to the outside world:
>
> root@issola:~# firewall-cmd --list-all
> public (default, active)
> target: default
> ingress-priority: 0
> egress-priority: 0
> icmp-block-inversion: no
> interfaces: enp3s0
> sources:
> services: dhcpv6-client
> ports:
> protocols:
> forward: yes
> masquerade: yes
> forward-ports:
> port=obfuscated:proto=tcp:toport=22:toaddr=192.168.100.6
> source-ports:
> icmp-blocks:
> rich rules:
> root@issola:~#
Well, I got an answer to this. By accident. I was reading the docs on
the various zones and saw this:
External:
Suitable for: External networks with masquerading enabled,
especially for routers. Situations when you do not trust the other
computers on the network.
Hmm, said I. If the external zone allows for masquerading, maybe other
zones don't?
Now, notice in the listing above that masquerading is set. But not
working. Same in the GUI. No error message, just dumb acceptance.
But just for the halibut, I changed the zone to external, and, amazingly
enough, masquerading now works.
So now I need to rejig the firewalls on several machines. Arrggghhh.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Reply to: