From 9db5743531ad6a0df909d66d6d24fe4973d297bf Mon Sep 17 00:00:00 2001 From: rob thijssen Date: Wed, 22 Apr 2026 12:07:29 +0300 Subject: [PATCH] docs(generic): reflect actual firewalld zone usage (default zone only) The infrastructure uses only the default zone created at OS install (FedoraServer on servers, FedoraWorkstation on workstations). Remove the aspirational internal/wg zone guidance and have deploy.sh resolve the default zone via firewall-cmd --get-default-zone on the target. Co-Authored-By: Claude Opus 4.7 (1M context) --- generic.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/generic.md b/generic.md index 9247243..8f98d67 100644 --- a/generic.md +++ b/generic.md @@ -372,21 +372,24 @@ For each component with a firewalld service definition: 1. `rsync` the XML to `/etc/firewalld/services/-.xml` on the target. 2. `firewall-cmd --reload` to pick up the new definition. -3. Check if the service is already enabled in the target zone (default zone unless the manifest specifies otherwise): +3. Resolve the host's default zone (`firewall-cmd --get-default-zone`) and check if the service is already enabled there: ``` - firewall-cmd --zone= --query-service=- + zone=$(firewall-cmd --get-default-zone) + firewall-cmd --zone=$zone --query-service=- ``` 4. If not, enable it persistently **and** in the runtime config: ``` - firewall-cmd --permanent --zone= --add-service=- - firewall-cmd --zone= --add-service=- + firewall-cmd --permanent --zone=$zone --add-service=- + firewall-cmd --zone=$zone --add-service=- ``` 5. On component removal (future concern), the reverse: `--remove-service` then delete the XML. Steps must be idempotent — re-running a deploy is a no-op on the firewall layer if the service is already installed and enabled. ### Zone selection -Most services bind to internal WireGuard interfaces. Put the WireGuard interface in a dedicated `internal` or `wg` zone and open services there. Public-facing services (rare — nginx is usually the only one) go in the default `public`/`FedoraServer` zone. The manifest may optionally specify a `zone:` per component; default to `internal` if unset. +The infrastructure uses **only the default zone** created at OS install time — `FedoraServer` on servers, `FedoraWorkstation` on workstations. There are no custom zones (no `internal`, no `wg`), and `deploy.sh` should not create any. Always add services to whatever `firewall-cmd --get-default-zone` reports on the target host. + +If a future need arises to segment traffic by interface (e.g., restricting a component to the WireGuard interface only), revisit this section before introducing custom zoning — don't add it silently. ### Port ranges, ICMP, sources If a service needs port ranges, ICMP types, or source-IP restrictions, put them in the same XML using firewalld's standard elements (``, ``). Don't split these across multiple named services.