Bug 1169837

Summary: Be more careful when creating REJECT firewall rules.
Product: [Fedora] Fedora Reporter: Denys Vlasenko <dvlasenk>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jpopelka, qe-baseos-security, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: firewalld-0.3.13-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1169829 Environment:
Last Closed: 2015-01-06 06:13:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch none

Description Denys Vlasenko 2014-12-02 14:45:03 UTC 
+++ This bug was initially created as a clone of Bug #1169829 +++

(I checked system-config-firewall-1.2.29-12.fc21.src.rpm and the observations about RHEL5 predecessor below are still relevant to it. The code has been ported to Python and is in fw_iptables.py)



See bug 1101522
"iptables rule ESTABLISHED occasionally not matching"

Short story: REJECT rule can break networking by generating spurious connection aborts when an unexpected packet is seen. To prevent that, use DROP rule to filter our bad packets before REJECT, or use REJECT only for NEW packets, and DROP the rest.


I believe relevant part of the source code is in system-config-securitylevel-1.7.0/lokkit.c here:

for (i=0; ports && ports[i].start_port; i++) {
        ...creates "state NEW -j ACCEPT" rules...
}

fprintf(fw, "-A %s -j REJECT --reject-with icmp-host-prohibited\n", CHAIN_NAME);
fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp-host-prohibited\n");

It's trivial to add "-m state --state INVALID -j DROP" before each of these two REJECT rules.

There is an analogous bit of code for IPv6 later in the same file.
Comment 1 Jiri Popelka 2014-12-02 15:04:21 UTC 
Moving to firewalld.
I don't think we care about system-config-firewall since firewalld is a default.
Comment 2 Jiri Popelka 2014-12-02 15:35:39 UTC 
Created attachment 963804 [details]
patch

DROPing INVALID packets seems to be a common practice actually.
What do you think about this patch Thomas ?
Comment 3 Jiri Popelka 2014-12-03 15:22:38 UTC 
Changed upstream:
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=354dcabd590da203ff9fb16c00296618c5da042a
Comment 4 Fedora Update System 2014-12-04 18:45:05 UTC 
firewalld-0.3.13-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc21
Comment 5 Fedora Update System 2014-12-04 18:45:39 UTC 
firewalld-0.3.13-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc20
Comment 6 Fedora Update System 2014-12-05 00:48:13 UTC 
Package firewalld-0.3.13-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.13-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16322/firewalld-0.3.13-1.fc21
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2015-01-06 06:13:06 UTC 
firewalld-0.3.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-01-06 06:15:52 UTC 
firewalld-0.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.