But since he uses normal interface-based rules and Im using zone-based - how can I implement something like that since “Lo” isnt bound to any zone…
I’m stuck at this part:
## Allowing redis traffic through the input firewall chain
We block all traffic to the input firewall chain unless it’s return traffic that we orignated, or the traffic is coming in on “eth2” (our LAN interface). We need to allow input traffic from the “lo” interface.
set firewall ipv4 input filter rule 1010 action ‘accept’ set firewall ipv4 input filter rule 1010 inbound-interface name ‘lo’
I don’t think you should need to assign the interface, if my understanding of zone based firewall is correct.
I believe in terms of iptables/nftables concepts, the local zone is anything that would trigger input or output chains - AKA anything sourced or destined for the device itself, regardless of what zone the interface is configured in.
Thus anything to or from the LB should be considered as local for the purposes of firewalling automatically, without any assignment.
The zone assignments should be for traffic which is routed through an interface.
If I’m wrong, hopefully someone will correct me.
If I am correct, you would just need to add the allow rule to the firewall which is applied on zone LOCAL from whichever zone you expect the traffic.