Bug 2156831
| Summary: | Allow RHEL8 firewalld 0.9.3 to accept established and related connections with reject/drop policies | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | rablanco <rablanco> | |
| Component: | firewalld | Assignee: | Eric Garver <egarver> | |
| Status: | CLOSED MIGRATED | QA Contact: | Tomas Dolezal <todoleza> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.7 | CC: | dereks, mcolombo, todoleza | |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, TestCaseProvided, Triaged, Upstream, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2196599 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-19 17:10:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2183216, 2196599 | |||
*** Bug 2226887 has been marked as a duplicate of this bug. *** |
Description of problem: Allow RHEL8 firewalld 0.9.3 to accept established and related connections with reject/drop policies Version-Release number of selected component (if applicable): firewalld 0.9.3 How reproducible: 1) You need to apply the following policy firewall-cmd --new-policy out --permanent firewall-cmd --set-target REJECT --policy out --permanent firewall-cmd --policy out --add-egress-zone ANY --permanent firewall-cmd --policy out --add-ingress-zone HOST --permanent 2) then try to connect from a other machine via ssh , it should be blocked The case notes shows that the following line is missed on Redhat 8 chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; ct state { established, related } accept <<-------------------- this is missing in RHEL 8.0!!!!!!! oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable jump filter_OUTPUT_POLICIES_pre jump filter_OUTPUT_POLICIES_post } 3) After inserting the line manually, the problem is fix but we need to modify the firewalld code in order to place the rule from the begining Temporary fix # nft insert rule inet firewalld filter_OUTPUT 'ct state { established, related } accept' Actual results: The server is blocked after applying the policy Expected results: - All outgoing traffic should be blocked expect for the already established connections Additional info: We found the solution here https://github.com/firewalld/firewalld/pull/709/commits/4581f83ea51d55ec7929d8a81ff485918a10e34e On the case I left a note about the changes on the py scripts in order to fix the issue case : 03398728