Bug 1609014

Summary: firewall-cmd command in https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html is breaking firewalld functionality
Product: Red Hat Enterprise Linux 7 Reporter: mcolombo
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Gabriel Gaspar Becker <ggasparb>
Severity: urgent Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 7.5CC: cdonnell, cww, ggasparb, jafiala, matyc, mhaicman, openscap-maint, pvrabec, ralford, sferguso, tbrunell, vpolasek, wsato
Target Milestone: rcKeywords: Bugfix
Target Release: ---Flags: lcervako: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.49-1.el7 Doc Type: Bug Fix
Doc Text:
.`configure_firewalld_rate_limiting` now correctly rate-limits connections The `configure_firewalld_rate_limiting` rule, which protects the system from Denial of Service (DoS) attacks, previously configured the system to accept all traffic. With this update, the system correctly rate-limits connections after remediating this rule.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:52:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1594286    

Description mcolombo 2018-07-26 18:05:29 UTC 
Description of problem:
The below section causes all incoming traffic to be accepted.

Location in https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html  (Profile: DISA STIG )

     firewalld > Strengthen the Default Ruleset > Configure firewalld To Rate Limit Connections



Configure firewalld To Rate Limit Connections:
==============================================

Configure firewalld To Rate Limit Connections   [ref]rule

Create a direct firewall rule to protect against DoS attacks with the following command:

$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j ACCEPT

Rationale:

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.


Version-Release number of selected component (if applicable):
Current version: 0.1.40


How reproducible:
Every time


Steps to Reproduce:
1.# firewall-cmd --set-default-zone=drop
2.# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j ACCEPT
3.# firewall-cmd --reload


Actual results:
All traffic is accepted

Expected results:
Anything that is not explicitly open to be dropped

Additional info:

If the command is change to -j INPUT_ZONES in stead of -j ACCEPT the traffic is rate limited as expected and the packets are filtered by the zones as intended. 

     # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES

[root@firewalld ~]# firewall-cmd --perm --set-default-zone=drop
[root@firewalld ~]# firewall-cmd --perm --add-service=ssh
[root@firewalld ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES
[root@firewalld ~]firewall-cmd --reload
[root@firewalld ~]# nc -l 5255 &

[root@firewalld-client ~]# nc 10.12.214.19 5255
Ncat: Connection timed out.

[root@firewalld-client ~]# nc 10.12.214.19 22
SSH-2.0-OpenSSH_7.4

[root@firewalld ~]# iptables -vnxL 
----------------snip-------------------------
Chain INPUT_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       9      540 INPUT_ZONES  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 25/min burst 100


Chain INPUT_ZONES (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
     166    22758 IN_drop    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
       0        0 IN_drop    all  --  +      *       0.0.0.0/0            0.0.0.0/0     

Chain IN_drop (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
     166    22758 IN_drop_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     166    22758 IN_drop_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     166    22758 IN_drop_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     165    22698 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Chain IN_drop_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       1       60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW         




Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5842  412K IN_drop    all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_drop    all  --  +      *       0.0.0.0/0            0.0.0.0/0    

Chain IN_drop (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 5842  412K IN_drop_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5842  412K IN_drop_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5842  412K IN_drop_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1084  154K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Comment 2 Marek Haicman 2018-07-27 13:54:12 UTC 
Hello,
good catch, and I agree it's a problem. After further investigation, I would suggest to replace `-j ACCEPT` with `-j DROP` to follow the idea of the rule. (I.e. to help mitigate DoS attacks).

Little trouble is that what you found is issue in official DISA STIG for RHEL7. So it's nothing we can change easily (without having guidance differing from the offical). But we will reach out to DISA.
Comment 6 Marek Haicman 2018-07-27 16:07:56 UTC 
Ah, I realized now that limit works the other way around. So -j DROP is definitely not what we want :)
Comment 12 Matus Marhefka 2018-11-14 14:20:26 UTC 
Upstream issue: https://github.com/ComplianceAsCode/content/issues/3495
Comment 17 Watson Yuuma Sato 2019-08-15 17:36:45 UTC 
In STIG V2R3 rule RHEL-07-040510 has a different fixtext, that doesn't involve creating a firewall rule but uses sysctls for ratelimiting.

Fixtext:
Set the system to implement rate-limiting measures by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
net.ipv4.tcp_invalid_ratelimit = 500
Issue the following command to make the changes take 
# sysctl --system

linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml should be updated to reflect that.
Comment 19 Vojtech Polasek 2020-02-04 12:31:55 UTC 
Fixed upstream in
https://github.com/ComplianceAsCode/content/pull/5126
Comment 36 errata-xmlrpc 2020-09-29 19:52:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3909