Bug 1169829

Summary: Be more careful when creating REJECT firewall rules.
Product: Red Hat Enterprise Linux 5 Reporter: Denys Vlasenko <dvlasenk>
Component: system-config-securitylevelAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.11CC: jeharris, mleitner
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1169837 (view as bug list) Environment:
Last Closed: 2017-04-18 22:03:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Denys Vlasenko 2014-12-02 14:27:55 UTC 
See bug 1101522
"iptables rule ESTABLISHED occasionally not matching"

Short story: REJECT rule can break networking by generating spurious connection aborts when an unexpected packet is seen. To prevent that, use DROP rule to filter our bad packets before REJECT, or use REJECT only for NEW packets, and DROP the rest.


I believe relevant part of the source code is in system-config-securitylevel-1.7.0/lokkit.c here:

for (i=0; ports && ports[i].start_port; i++) {
        ...creates "state NEW -j ACCEPT" rules...
}

fprintf(fw, "-A %s -j REJECT --reject-with icmp-host-prohibited\n", CHAIN_NAME);
fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp-host-prohibited\n");

It's trivial to add "-m state --state INVALID -j DROP" before each of these two REJECT rules.

There is an analogous bit of code for IPv6 later in the same file.
Comment 1 Denys Vlasenko 2015-01-13 12:41:23 UTC 
What are you guys saying?
Do you think it's a bug?
Do you plan to fix it?
I need this information to decide what to do with bug 1101522.
Comment 2 Thomas Woerner 2015-02-19 14:00:18 UTC 
Yes, it can be considered a bug in system-config-securitylevel/lokkit.

There is also a proposal for a change with REJECT at netfilter upstream: "netfilter: reject: don't send icmp error if packet has invalid checksum"
Comment 3 Thomas Woerner 2015-02-19 15:04:39 UTC 
Here is the link to the latest version of the netfilter patch: http://patchwork.ozlabs.org/patch/440307/
Comment 4 Chris Williams 2017-04-18 22:03:41 UTC 
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.