I have the following zones that are relevant for this question.
- SemiTrusted and
I want to treat IPSEC-encrypted traffic (that is coming from some specific IP addresses) as belonging to SemiTrusted.
In iptables I would use policy matching to use a semitrusted chain.
How can I achieve this with firewalld. I did not see any mention of policy in the firewalld man pages and did not see how to match based on ipsec policy in firewalld.richlanguage(5).
I assume I can use firewalld.direct(5) but I don’t know how to integrate it with the other firewalld.zone(5)-based configuration.
To make it clear, I don’t want to open ipsec ports in zone SemiTrusted. That is trivial.
You don’t need a direct rule for this; firewalld already has a service definition for IPsec.
firewall-cmd --zone=SemiTrusted --add-service=ipsec
The definition permits all AH, ESP and UDP port 500 traffic.
You’ll need a second rule if either end has NAT and you need to add UDP port 4500:
firewall-cmd --zone=SemiTrusted --add-port=4500/udp
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.