Bug 2226887
| Summary: | filter_OUTPUT needs "ct state { established, related } accept" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | mcolombo |
| Component: | firewalld | Assignee: | Eric Garver <egarver> |
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.6 | CC: | bgalvani, cutaylor, desktop-qa-list, lrintel, rkhan, sababu, sukulkar, thaller, till, todoleza |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-27 13:43:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
it seems this should be reported against firewalld. Reassigning. also, the reproducer seems to have lines oddly mangled. It's maybe somewhat understandable, nonetheless, would it be possible to post the correct reproducer? (In reply to Thomas Haller from comment #1) > also, the reproducer seems to have lines oddly mangled. > It's maybe somewhat understandable, nonetheless, would it be possible to > post the correct reproducer? Never mind. The mangled part is only the output from "RHEL 8.6 vm". The same script is under "1.Add the following rules." above. (In reply to Thomas Haller from comment #1) > it seems this should be reported against firewalld. Reassigning. > I didn't realize I did that. Thank you for switching that. > also, the reproducer seems to have lines oddly mangled. > It's maybe somewhat understandable, nonetheless, would it be possible to > post the correct reproducer? As the reproducer breaks ssh I needed to use the console which mangled the output. The steps to reproduce have the full commands. *** This bug has been marked as a duplicate of bug 2156831 *** |
Description of problem: When setting output target to reject It breaks incoming connections. Version-Release number of selected component (if applicable): NetworkManager-1.40.16-1.el8.x86_64 How reproducible: Everytime Steps to Reproduce: 1.Add the following rules. firewall-cmd --permanent --new-policy outgoing_policy firewall-cmd --permanent --policy outgoing_policy --add-ingress-zone HOST firewall-cmd --permanent --policy outgoing_policy --add-egress-zone ANY firewall-cmd --permanent --policy outgoing_policy --set-target=REJECT firewall-cmd --permanent --policy outgoing_policy --add-service=dns firewall-cmd --permanent --policy outgoing_policy --add-service=https firewall-cmd --permanent --policy outgoing_policy --add-service=ssh 2. 3. Actual results: incoming ssh timesout Expected results: Incoming ssh connections to work as the service is enabled for the active zone. Additional info: Active incoming zone is set to allow incoming ssh connections. public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Reproducer: =========== RHEL 8.6 vm [root@rhel-86 ~]# firewall-cmd --permanent --new-policy outgoing_policy success s-zone HOST86 ~]# firewall-cmd --permanent --policy outgoing_policy --add-ingress success -zone ANYl-86 ~]# firewall-cmd --permanent --policy outgoing_policy --add-egress- success =REJECThel-86 ~]# firewall-cmd --permanent --policy outgoing_policy --set-target= success e=dns@rhel-86 ~]# firewall-cmd --permanent --policy outgoing_policy --add-service success e=httpshel-86 ~]# firewall-cmd --permanent --policy outgoing_policy --add-service success e=ssh@rhel-86 ~]# firewall-cmd --permanent --policy outgoing_policy --add-service success [root@rhel-86 ~]# firewall-cmd --reload success [root@rhel-86 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:9b:a6:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.122.121/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0 valid_lft 3503sec preferred_lft 3503sec inet6 fe80::5054:ff:fe9b:a6c8/64 scope link noprefixroute valid_lft forever preferred_lft forever fedora desktop mcolombo@fedora#[~]# ssh root.122.121 ssh: connect to host 192.168.122.121 port 22: Connection timed out RHEL 8.6 vm [root@rhel-86 ~] nft insert rule "inet firewalld" filter_OUTPUT index 0 ct state { established, related } accept fedora desktop mcolombo@fedora#[~]# ssh root.122.121 root.122.121's password: Last login: Wed Jul 26 15:25:46 2023 Request: ======== Firewalld needs to add "ct state { established, related } accept" to filter_OUTPUT as this will allow outgoing packet in response to incoming connection that are already allowed by firewalld. Additional question: ==================== Is there a way to do this with direct rules?