Bug 1391143

Summary: rich rules do not drop host(s) in masquerading zone
Product: Red Hat Enterprise Linux 7 Reporter: lejeczek <peljasz>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED WORKSFORME QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: medium    
Version: 7.2CC: peljasz, psutter, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-26 16:50:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description lejeczek 2016-11-02 15:57:44 UTC 
Description of problem:

is this not a bug?:

yes, to me too it sort of defines basic logic - one would expect to be able with a "rich rule" to block/ban a host (actually there are quite few articles on the net stating it should be doing that)

public (active)
  interfaces: em3
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.2.0/24" reject

yet host from 192.168.2.0/24 (which is firewalld's zone work) are able to masquerade and access all (in this case whole Internet) behind em3 interface.
It smells like a bug to me.


Version-Release number of selected component (if applicable):
0.3.9

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Thomas Woerner 2016-11-04 14:13:59 UTC 
The external address 192.168.2.0/24 will be blocked, not an internal.

There is a solution: Masquerade all but 192.168.2.0/24 with a rich rule

rule family="ipv4" source NOT address="192.168.2.0/24" masquerade

And deactivate masquerading in the zone. Please do not forget to enable masquerading for IPv6 if needed.
Comment 3 Phil Sutter 2017-06-26 16:50:09 UTC 
Hi,

(In reply to Thomas Woerner from comment #2)
> The external address 192.168.2.0/24 will be blocked, not an internal.
> 
> There is a solution: Masquerade all but 192.168.2.0/24 with a rich rule
> 
> rule family="ipv4" source NOT address="192.168.2.0/24" masquerade
> 
> And deactivate masquerading in the zone. Please do not forget to enable
> masquerading for IPv6 if needed.

This ticket didn't receive an update for quite a while, therefore I assume the above advice resolved reporter's issue. Please feel free to reopen in case I am wrong.

Thanks, Phil
Comment 4 lejeczek 2021-08-11 11:55:57 UTC 
ok