Bug 1169837 - Be more careful when creating REJECT firewall rules.
Summary: Be more careful when creating REJECT firewall rules.
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: noarch
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-12-02 14:45 UTC by Denys Vlasenko
Modified: 2015-01-06 06:15 UTC (History)
3 users (show)

Fixed In Version: firewalld-0.3.13-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of: 1169829
Last Closed: 2015-01-06 06:13:06 UTC
Type: Bug

Attachments (Terms of Use)
patch (1.16 KB, patch)
2014-12-02 15:35 UTC, Jiri Popelka
no flags Details | Diff

Description Denys Vlasenko 2014-12-02 14:45:03 UTC
+++ This bug was initially created as a clone of Bug #1169829 +++

(I checked system-config-firewall-1.2.29-12.fc21.src.rpm and the observations about RHEL5 predecessor below are still relevant to it. The code has been ported to Python and is in fw_iptables.py)

See bug 1101522
"iptables rule ESTABLISHED occasionally not matching"

Short story: REJECT rule can break networking by generating spurious connection aborts when an unexpected packet is seen. To prevent that, use DROP rule to filter our bad packets before REJECT, or use REJECT only for NEW packets, and DROP the rest.

I believe relevant part of the source code is in system-config-securitylevel-1.7.0/lokkit.c here:

for (i=0; ports && ports[i].start_port; i++) {
        ...creates "state NEW -j ACCEPT" rules...

fprintf(fw, "-A %s -j REJECT --reject-with icmp-host-prohibited\n", CHAIN_NAME);
fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp-host-prohibited\n");

It's trivial to add "-m state --state INVALID -j DROP" before each of these two REJECT rules.

There is an analogous bit of code for IPv6 later in the same file.

Comment 1 Jiri Popelka 2014-12-02 15:04:21 UTC
Moving to firewalld.
I don't think we care about system-config-firewall since firewalld is a default.

Comment 2 Jiri Popelka 2014-12-02 15:35:39 UTC
Created attachment 963804 [details]

DROPing INVALID packets seems to be a common practice actually.
What do you think about this patch Thomas ?

Comment 4 Fedora Update System 2014-12-04 18:45:05 UTC
firewalld-0.3.13-1.fc21 has been submitted as an update for Fedora 21.

Comment 5 Fedora Update System 2014-12-04 18:45:39 UTC
firewalld-0.3.13-1.fc20 has been submitted as an update for Fedora 20.

Comment 6 Fedora Update System 2014-12-05 00:48:13 UTC
Package firewalld-0.3.13-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.13-1.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2015-01-06 06:13:06 UTC
firewalld-0.3.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-06 06:15:52 UTC
firewalld-0.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.