1169837 – Be more careful when creating REJECT firewall rules.

Bug 1169837 - Be more careful when creating REJECT firewall rules.

Summary: Be more careful when creating REJECT firewall rules.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	rawhide
Hardware:	noarch
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-02 14:45 UTC by Denys Vlasenko
Modified:	2015-01-06 06:15 UTC (History)
CC List:	3 users (show)
Fixed In Version:	firewalld-0.3.13-1.fc20
Clone Of:	1169829
Environment:
Last Closed:	2015-01-06 06:13:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch (1.16 KB, patch) 2014-12-02 15:35 UTC, Jiri Popelka	no flags	Details \| Diff
View All

Description Denys Vlasenko 2014-12-02 14:45:03 UTC

+++ This bug was initially created as a clone of Bug #1169829 +++

(I checked system-config-firewall-1.2.29-12.fc21.src.rpm and the observations about RHEL5 predecessor below are still relevant to it. The code has been ported to Python and is in fw_iptables.py)



See bug 1101522
"iptables rule ESTABLISHED occasionally not matching"

Short story: REJECT rule can break networking by generating spurious connection aborts when an unexpected packet is seen. To prevent that, use DROP rule to filter our bad packets before REJECT, or use REJECT only for NEW packets, and DROP the rest.


I believe relevant part of the source code is in system-config-securitylevel-1.7.0/lokkit.c here:

for (i=0; ports && ports[i].start_port; i++) {
        ...creates "state NEW -j ACCEPT" rules...
}

fprintf(fw, "-A %s -j REJECT --reject-with icmp-host-prohibited\n", CHAIN_NAME);
fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp-host-prohibited\n");

It's trivial to add "-m state --state INVALID -j DROP" before each of these two REJECT rules.

There is an analogous bit of code for IPv6 later in the same file.

Comment 1 Jiri Popelka 2014-12-02 15:04:21 UTC

Moving to firewalld.
I don't think we care about system-config-firewall since firewalld is a default.

Comment 2 Jiri Popelka 2014-12-02 15:35:39 UTC

Created attachment 963804 [details]
patch

DROPing INVALID packets seems to be a common practice actually.
What do you think about this patch Thomas ?

Comment 3 Jiri Popelka 2014-12-03 15:22:38 UTC

Changed upstream:
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=354dcabd590da203ff9fb16c00296618c5da042a

Comment 4 Fedora Update System 2014-12-04 18:45:05 UTC

firewalld-0.3.13-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc21

Comment 5 Fedora Update System 2014-12-04 18:45:39 UTC

firewalld-0.3.13-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc20

Comment 6 Fedora Update System 2014-12-05 00:48:13 UTC

Package firewalld-0.3.13-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.13-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16322/firewalld-0.3.13-1.fc21
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2015-01-06 06:13:06 UTC

firewalld-0.3.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-06 06:15:52 UTC

firewalld-0.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.