1326130 – firewalld stops traffic from/to 127.0.0.1 when masquerading is enabled in default zone

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1326130 - firewalld stops traffic from/to 127.0.0.1 when masquerading is enabled in default zone

Summary: firewalld stops traffic from/to 127.0.0.1 when masquerading is enabled in def...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:
URL:
Whiteboard:
Depends On:	904098 1302802
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-11 22:27 UTC by Christopher Tubbs
Modified:	2016-11-03 21:02 UTC (History)
CC List:	13 users (show)
Fixed In Version:	firewalld-0.4.2-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	904098
Environment:
Last Closed:	2016-11-03 21:02:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2597	0	normal	SHIPPED_LIVE	Moderate: firewalld security, bug fix, and enhancement update	2016-11-03 12:11:47 UTC

Description Christopher Tubbs 2016-04-11 22:27:06 UTC

+++ This bug was initially created as a clone of Bug #904098 +++

Description of problem:
firewalld also breaks traffic from/to 127.0.0.1

I have amavisd with postfix. amavisd gets mails from postfix. but in the last release of firewalld, it blocks all traffic to amavisd from postfix. 

so i did yum downgrade, and now it works fine.


Version-Release number of selected component (if applicable):
0.2.12-1.fc18


How reproducible:
always


Steps to Reproduce:
1. have postfix and amavisd already working together
2. send a mail to an outside address
3. get the error:
amavis[1360]: (!)DENIED ACCESS from IP 192.168.2.36, policy bank ''
even jabber doesnt start. if i downgrade again, it does.

  
Actual results:
no checked mails, jabber not running


Expected results:
no checked mails, jabber not running


Additional info:
This is an absolue stopper!

--- Additional comment from Jiri Popelka on 2013-01-25 09:45:40 EST ---

Please attach output from iptables-save while running firewalld-0.2.12-1.fc18
Do you have any idea which rule can cause the problems ? I can't see any problem here.

--- Additional comment from Grosswiler Roger on 2013-01-25 14:15:28 EST ---

After 2 reboots, the problem occurs even with the older version. Some kind of strange. I think in the moment, that the problem does not belong to firewall, but to amavisd. Sorry, each time i disabled the firewall or downgraded it, it worked.

--- Additional comment from Grosswiler Roger on 2013-01-25 15:11:52 EST ---

i found it now. it was a misconfiguration in postfix, where submission is configured since weeks. but since 2 days those errors begun. I cannot say, what was releasing this kind. Please close and my excuses.

--- Additional comment from Grosswiler Roger on 2013-01-27 15:33:07 EST ---

Sorry, i  did a update today and got again the last version of firewalld, again the problem occures. Here you have the output of iptables-save of the latest version:

[root@vmlstlucia log]# iptables-save
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:21:00 2013
*nat
:PREROUTING ACCEPT [36:2510]
:INPUT ACCEPT [30:2111]
:OUTPUT ACCEPT [1669:102511]
:POSTROUTING ACCEPT [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:POST_ZONE_external - [0:0]
:POST_ZONE_external_allow - [0:0]
:POST_ZONE_external_deny - [0:0]
:POST_ZONE_public - [0:0]
:POST_ZONE_public_allow - [0:0]
:POST_ZONE_public_deny - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ZONE_public - [0:0]
:PRE_ZONE_public_allow - [0:0]
:PRE_ZONE_public_deny - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eth1 -j POST_ZONE_public
-A POSTROUTING_ZONES -o eth0 -j POST_ZONE_public
-A POSTROUTING_ZONES -j POST_ZONE_public
-A POST_ZONE_external -j POST_ZONE_external_deny
-A POST_ZONE_external -j POST_ZONE_external_allow
-A POST_ZONE_external_allow -j MASQUERADE
-A POST_ZONE_public -j POST_ZONE_public_deny
-A POST_ZONE_public -j POST_ZONE_public_allow
-A POST_ZONE_public_allow -j MASQUERADE
-A PREROUTING_ZONES -i eth1 -j PRE_ZONE_public
-A PREROUTING_ZONES -i eth0 -j PRE_ZONE_public
-A PREROUTING_ZONES -j PRE_ZONE_public
-A PRE_ZONE_public -j PRE_ZONE_public_deny
-A PRE_ZONE_public -j PRE_ZONE_public_allow
COMMIT
# Completed on Sun Jan 27 21:21:00 2013
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:21:00 2013
*mangle
:PREROUTING ACCEPT [5865:775754]
:INPUT ACCEPT [5863:775483]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5551:602834]
:POSTROUTING ACCEPT [5569:608136]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ZONE_public - [0:0]
:PRE_ZONE_public_allow - [0:0]
:PRE_ZONE_public_deny - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth1 -j PRE_ZONE_public
-A PREROUTING_ZONES -i eth0 -j PRE_ZONE_public
-A PREROUTING_ZONES -j PRE_ZONE_public
-A PRE_ZONE_public -j PRE_ZONE_public_deny
-A PRE_ZONE_public -j PRE_ZONE_public_allow
COMMIT
# Completed on Sun Jan 27 21:21:00 2013
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:21:00 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [740:73064]
:FORWARD_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_ZONE_public - [0:0]
:FWDI_ZONE_public_allow - [0:0]
:FWDI_ZONE_public_deny - [0:0]
:FWDO_ZONE_external - [0:0]
:FWDO_ZONE_external_allow - [0:0]
:FWDO_ZONE_external_deny - [0:0]
:FWDO_ZONE_public - [0:0]
:FWDO_ZONE_public_allow - [0:0]
:FWDO_ZONE_public_deny - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_ZONE_dmz - [0:0]
:IN_ZONE_dmz_allow - [0:0]
:IN_ZONE_dmz_deny - [0:0]
:IN_ZONE_external - [0:0]
:IN_ZONE_external_allow - [0:0]
:IN_ZONE_external_deny - [0:0]
:IN_ZONE_home - [0:0]
:IN_ZONE_home_allow - [0:0]
:IN_ZONE_home_deny - [0:0]
:IN_ZONE_internal - [0:0]
:IN_ZONE_internal_allow - [0:0]
:IN_ZONE_internal_deny - [0:0]
:IN_ZONE_public - [0:0]
:IN_ZONE_public_allow - [0:0]
:IN_ZONE_public_deny - [0:0]
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
:OUTPUT_direct - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-sasl - [0:0]
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_ZONES -i eth1 -j FWDI_ZONE_public
-A FORWARD_ZONES -o eth1 -j FWDO_ZONE_public
-A FORWARD_ZONES -i eth0 -j FWDI_ZONE_public
-A FORWARD_ZONES -o eth0 -j FWDO_ZONE_public
-A FORWARD_ZONES -j FWDO_ZONE_public
-A FORWARD_ZONES -j FWDI_ZONE_public
-A FWDI_ZONE_public -j FWDI_ZONE_public_deny
-A FWDI_ZONE_public -j FWDI_ZONE_public_allow
-A FWDO_ZONE_external -j FWDO_ZONE_external_deny
-A FWDO_ZONE_external -j FWDO_ZONE_external_allow
-A FWDO_ZONE_external_allow -j ACCEPT
-A FWDO_ZONE_public -j FWDO_ZONE_public_deny
-A FWDO_ZONE_public -j FWDO_ZONE_public_allow
-A FWDO_ZONE_public_allow -j ACCEPT
-A INPUT_ZONES -i eth1 -j IN_ZONE_public
-A INPUT_ZONES -i eth0 -j IN_ZONE_public
-A INPUT_ZONES -j IN_ZONE_public
-A IN_ZONE_dmz -j IN_ZONE_dmz_deny
-A IN_ZONE_dmz -j IN_ZONE_dmz_allow
-A IN_ZONE_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_external -j IN_ZONE_external_deny
-A IN_ZONE_external -j IN_ZONE_external_allow
-A IN_ZONE_external_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home -j IN_ZONE_home_deny
-A IN_ZONE_home -j IN_ZONE_home_allow
-A IN_ZONE_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal -j IN_ZONE_internal_deny
-A IN_ZONE_internal -j IN_ZONE_internal_allow
-A IN_ZONE_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public -j IN_ZONE_public_deny
-A IN_ZONE_public -j IN_ZONE_public_allow
-A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 4190 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 10024 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 10025 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A fail2ban-SSH -j RETURN
-A fail2ban-sasl -j RETURN
COMMIT


could it perhaps be because of the definitions of my nics? in the statement i see eth0/eth1, but they are called 

The problem exist for the following:

Connection from postfix to amavis: connect on localhost to port 10024 (refused)
Connection from ejabberd while startup: does not work at all.

i yum downgraded again, and everything works fine. and what is really a bad thing: i found nothing at all in my logs... :(

--- Additional comment from Grosswiler Roger on 2013-01-27 15:36:47 EST ---

and here the output from firewalld-0.2.12-1.fc18

the output above was from .2

[root@vmlstlucia ~]# iptables-save
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:35:49 2013
*nat
:PREROUTING ACCEPT [42:2583]
:INPUT ACCEPT [39:2487]
:OUTPUT ACCEPT [172:12582]
:POSTROUTING ACCEPT [86:5518]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:POST_ZONE_external - [0:0]
:POST_ZONE_external_allow - [0:0]
:POST_ZONE_external_deny - [0:0]
:POST_ZONE_public - [0:0]
:POST_ZONE_public_allow - [0:0]
:POST_ZONE_public_deny - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ZONE_public - [0:0]
:PRE_ZONE_public_allow - [0:0]
:PRE_ZONE_public_deny - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eth0 -j POST_ZONE_public
-A POSTROUTING_ZONES -o eth1 -j POST_ZONE_public
-A POST_ZONE_external -j POST_ZONE_external_deny
-A POST_ZONE_external -j POST_ZONE_external_allow
-A POST_ZONE_external_allow -j MASQUERADE
-A POST_ZONE_public -j POST_ZONE_public_deny
-A POST_ZONE_public -j POST_ZONE_public_allow
-A POST_ZONE_public_allow -j MASQUERADE
-A PREROUTING_ZONES -i eth0 -j PRE_ZONE_public
-A PREROUTING_ZONES -i eth1 -j PRE_ZONE_public
-A PRE_ZONE_public -j PRE_ZONE_public_deny
-A PRE_ZONE_public -j PRE_ZONE_public_allow
COMMIT
# Completed on Sun Jan 27 21:35:49 2013
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:35:49 2013
*mangle
:PREROUTING ACCEPT [1694:224227]
:INPUT ACCEPT [1694:224227]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1604:332304]
:POSTROUTING ACCEPT [1622:337606]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ZONE_public - [0:0]
:PRE_ZONE_public_allow - [0:0]
:PRE_ZONE_public_deny - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -j PRE_ZONE_public
-A PREROUTING_ZONES -i eth1 -j PRE_ZONE_public
-A PRE_ZONE_public -j PRE_ZONE_public_deny
-A PRE_ZONE_public -j PRE_ZONE_public_allow
COMMIT
# Completed on Sun Jan 27 21:35:49 2013
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:35:49 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1252:290269]
:FORWARD_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_ZONE_public - [0:0]
:FWDI_ZONE_public_allow - [0:0]
:FWDI_ZONE_public_deny - [0:0]
:FWDO_ZONE_external - [0:0]
:FWDO_ZONE_external_allow - [0:0]
:FWDO_ZONE_external_deny - [0:0]
:FWDO_ZONE_public - [0:0]
:FWDO_ZONE_public_allow - [0:0]
:FWDO_ZONE_public_deny - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_ZONE_dmz - [0:0]
:IN_ZONE_dmz_allow - [0:0]
:IN_ZONE_dmz_deny - [0:0]
:IN_ZONE_external - [0:0]
:IN_ZONE_external_allow - [0:0]
:IN_ZONE_external_deny - [0:0]
:IN_ZONE_home - [0:0]
:IN_ZONE_home_allow - [0:0]
:IN_ZONE_home_deny - [0:0]
:IN_ZONE_internal - [0:0]
:IN_ZONE_internal_allow - [0:0]
:IN_ZONE_internal_deny - [0:0]
:IN_ZONE_public - [0:0]
:IN_ZONE_public_allow - [0:0]
:IN_ZONE_public_deny - [0:0]
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
:OUTPUT_direct - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-sasl - [0:0]
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_ZONES -o eth0 -j FWDO_ZONE_public
-A FORWARD_ZONES -i eth0 -j FWDI_ZONE_public
-A FORWARD_ZONES -o eth1 -j FWDO_ZONE_public
-A FORWARD_ZONES -i eth1 -j FWDI_ZONE_public
-A FWDI_ZONE_public -j FWDI_ZONE_public_deny
-A FWDI_ZONE_public -j FWDI_ZONE_public_allow
-A FWDO_ZONE_external -j FWDO_ZONE_external_deny
-A FWDO_ZONE_external -j FWDO_ZONE_external_allow
-A FWDO_ZONE_external_allow -j ACCEPT
-A FWDO_ZONE_public -j FWDO_ZONE_public_deny
-A FWDO_ZONE_public -j FWDO_ZONE_public_allow
-A FWDO_ZONE_public_allow -j ACCEPT
-A INPUT_ZONES -i eth0 -j IN_ZONE_public
-A INPUT_ZONES -i eth1 -j IN_ZONE_public
-A IN_ZONE_dmz -j IN_ZONE_dmz_deny
-A IN_ZONE_dmz -j IN_ZONE_dmz_allow
-A IN_ZONE_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_external -j IN_ZONE_external_deny
-A IN_ZONE_external -j IN_ZONE_external_allow
-A IN_ZONE_external_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home -j IN_ZONE_home_deny
-A IN_ZONE_home -j IN_ZONE_home_allow
-A IN_ZONE_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal -j IN_ZONE_internal_deny
-A IN_ZONE_internal -j IN_ZONE_internal_allow
-A IN_ZONE_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public -j IN_ZONE_public_deny
-A IN_ZONE_public -j IN_ZONE_public_allow
-A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 4190 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A fail2ban-SSH -j RETURN
-A fail2ban-sasl -j RETURN
COMMIT
# Completed on Sun Jan 27 21:35:49 2013
[root@vmlstlucia ~]# iptables-save
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:35:56 2013
*nat
:PREROUTING ACCEPT [42:2583]
:INPUT ACCEPT [39:2487]
:OUTPUT ACCEPT [172:12582]
:POSTROUTING ACCEPT [86:5518]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:POST_ZONE_external - [0:0]
:POST_ZONE_external_allow - [0:0]
:POST_ZONE_external_deny - [0:0]
:POST_ZONE_public - [0:0]
:POST_ZONE_public_allow - [0:0]
:POST_ZONE_public_deny - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ZONE_public - [0:0]
:PRE_ZONE_public_allow - [0:0]
:PRE_ZONE_public_deny - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eth0 -j POST_ZONE_public
-A POSTROUTING_ZONES -o eth1 -j POST_ZONE_public
-A POST_ZONE_external -j POST_ZONE_external_deny
-A POST_ZONE_external -j POST_ZONE_external_allow
-A POST_ZONE_external_allow -j MASQUERADE
-A POST_ZONE_public -j POST_ZONE_public_deny
-A POST_ZONE_public -j POST_ZONE_public_allow
-A POST_ZONE_public_allow -j MASQUERADE
-A PREROUTING_ZONES -i eth0 -j PRE_ZONE_public
-A PREROUTING_ZONES -i eth1 -j PRE_ZONE_public
-A PRE_ZONE_public -j PRE_ZONE_public_deny
-A PRE_ZONE_public -j PRE_ZONE_public_allow
COMMIT
# Completed on Sun Jan 27 21:35:56 2013
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:35:56 2013
*mangle
:PREROUTING ACCEPT [1954:238675]
:INPUT ACCEPT [1954:238675]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1853:364692]
:POSTROUTING ACCEPT [1871:369994]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ZONE_public - [0:0]
:PRE_ZONE_public_allow - [0:0]
:PRE_ZONE_public_deny - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -j PRE_ZONE_public
-A PREROUTING_ZONES -i eth1 -j PRE_ZONE_public
-A PRE_ZONE_public -j PRE_ZONE_public_deny
-A PRE_ZONE_public -j PRE_ZONE_public_allow
COMMIT
# Completed on Sun Jan 27 21:35:56 2013
# Generated by iptables-save v1.4.16.2 on Sun Jan 27 21:35:56 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1485:320785]
:FORWARD_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_ZONE_public - [0:0]
:FWDI_ZONE_public_allow - [0:0]
:FWDI_ZONE_public_deny - [0:0]
:FWDO_ZONE_external - [0:0]
:FWDO_ZONE_external_allow - [0:0]
:FWDO_ZONE_external_deny - [0:0]
:FWDO_ZONE_public - [0:0]
:FWDO_ZONE_public_allow - [0:0]
:FWDO_ZONE_public_deny - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_ZONE_dmz - [0:0]
:IN_ZONE_dmz_allow - [0:0]
:IN_ZONE_dmz_deny - [0:0]
:IN_ZONE_external - [0:0]
:IN_ZONE_external_allow - [0:0]
:IN_ZONE_external_deny - [0:0]
:IN_ZONE_home - [0:0]
:IN_ZONE_home_allow - [0:0]
:IN_ZONE_home_deny - [0:0]
:IN_ZONE_internal - [0:0]
:IN_ZONE_internal_allow - [0:0]
:IN_ZONE_internal_deny - [0:0]
:IN_ZONE_public - [0:0]
:IN_ZONE_public_allow - [0:0]
:IN_ZONE_public_deny - [0:0]
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
:OUTPUT_direct - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-sasl - [0:0]
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_ZONES -o eth0 -j FWDO_ZONE_public
-A FORWARD_ZONES -i eth0 -j FWDI_ZONE_public
-A FORWARD_ZONES -o eth1 -j FWDO_ZONE_public
-A FORWARD_ZONES -i eth1 -j FWDI_ZONE_public
-A FWDI_ZONE_public -j FWDI_ZONE_public_deny
-A FWDI_ZONE_public -j FWDI_ZONE_public_allow
-A FWDO_ZONE_external -j FWDO_ZONE_external_deny
-A FWDO_ZONE_external -j FWDO_ZONE_external_allow
-A FWDO_ZONE_external_allow -j ACCEPT
-A FWDO_ZONE_public -j FWDO_ZONE_public_deny
-A FWDO_ZONE_public -j FWDO_ZONE_public_allow
-A FWDO_ZONE_public_allow -j ACCEPT
-A INPUT_ZONES -i eth0 -j IN_ZONE_public
-A INPUT_ZONES -i eth1 -j IN_ZONE_public
-A IN_ZONE_dmz -j IN_ZONE_dmz_deny
-A IN_ZONE_dmz -j IN_ZONE_dmz_allow
-A IN_ZONE_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_external -j IN_ZONE_external_deny
-A IN_ZONE_external -j IN_ZONE_external_allow
-A IN_ZONE_external_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home -j IN_ZONE_home_deny
-A IN_ZONE_home -j IN_ZONE_home_allow
-A IN_ZONE_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal -j IN_ZONE_internal_deny
-A IN_ZONE_internal -j IN_ZONE_internal_allow
-A IN_ZONE_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public -j IN_ZONE_public_deny
-A IN_ZONE_public -j IN_ZONE_public_allow
-A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 4190 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_public_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A fail2ban-SSH -j RETURN
-A fail2ban-sasl -j RETURN
COMMIT
# Completed on Sun Jan 27 21:35:56 2013

--- Additional comment from Grosswiler Roger on 2013-01-27 15:42:37 EST ---

i just did copied all contents to 2 separate files, there is a huge difference in lines. i did not verify in detail, but i do not have to seem it copied twice? in .1 i have nearly double as much lines as in .2

--- Additional comment from Grosswiler Roger on 2013-01-27 15:48:28 EST ---

its copied twice in .1 sorry.

--- Additional comment from Jiri Popelka on 2013-01-29 12:36:00 EST ---

(In reply to comment #6)
> in .1 i have nearly double as much lines as in .2

What exactly do you mean with .1 and .2 ?
Is that firewalld-0.2.12-1.fc18 and firewalld-0.2.12-2.fc18 ?

So both the output in comment #4 and in comment #5 are the not working configurations, right ? Can you attach (save it to file and use 'Add an attachment' link above) an iptables-save output from version which works (and tell which version it is) ?

--- Additional comment from Grosswiler Roger on 2013-02-01 14:20:07 EST ---



--- Additional comment from Grosswiler Roger on 2013-02-01 14:21:34 EST ---

.1 = firewalld-0.2.12-1.fc18
.2 = firewalld-0.2.12-2.fc18

Working is firewalld-0.2.12-1.fc18

Output from iptables-save added as attachment.

--- Additional comment from Jiri Popelka on 2013-02-04 06:55:34 EST ---

(In reply to comment #10)
> Working is firewalld-0.2.12-1.fc18
> Output from iptables-save added as attachment.

That does not look like from 0.2.12-1.
There's no
-A INPUT_ZONES -j IN_ZONE_public
rule (this rule says that all "unmanaged" interfaces are in public zone), which has been there since 0.2.12-1.

Can you check the versions once more ? Is it possible that the working one is actually firewalld-0.2.11-1.fc18 or even some older ?

Also there wasn't any such change between firewalld-0.2.12-1.fc18 and firewalld-0.2.12-2.fc18

--- Additional comment from Grosswiler Roger on 2013-02-07 08:04:01 EST ---



--- Additional comment from Grosswiler Roger on 2013-02-07 08:04:48 EST ---



--- Additional comment from Grosswiler Roger on 2013-02-07 08:11:19 EST ---

I checked them again and posted both results in the according files.

Yes, the one that is working is 2.11-1 or even older. The problem occurs since 2.12-2

i haven't seen 2.12.1 - yum upgraded directly from 2.11.2 to 2.12.2, and downgraded me back to 2.11.2.

perhaps there was a bigger change between 2.11.2 and 2.12.1 (which i actually didn't receive)

--- Additional comment from Thomas Woerner on 2013-02-07 09:58:44 EST ---

I do not see any problems in the rules generated by firewalld.

But you are using fail2ban-sasl with port 25 ..

--- Additional comment from Grosswiler Roger on 2013-02-07 11:58:51 EST ---

...which is quite right...the problem occurs when connecting from postfix to amavis via port 10024/10025 on localhost...

the sasl-rule comes up, as postfix authenticates via dovecot-sasl and blocks all incoming traffic, if an ip comes more than n times in x secs.

--- Additional comment from Grosswiler Roger on 2013-02-07 12:00:05 EST ---

...and not to forget, that ejabberd cannot startup correctly. it seems, as also traffic on lo is blocked and not just on eth(n).

--- Additional comment from Grosswiler Roger on 2013-02-23 06:52:10 EST ---

it is very strange....

today i looked in updates-testing and found 0.2.12-3.fc18. i installed it. after restart, i had the same issue. 

i then changed the default-zone from public to dmz. wow, it worked. then i changed back from dmz to public. and it still works. i dunno why and am also a little bit unsure, if this happens next time.

--- Additional comment from Pavel Sedlák on 2013-03-12 10:01:52 EDT ---

This behavior (rule -A POSTROUTING_ZONES -g POST_ZONE_public) breaks lot of things when it comes to localhost connections in case someone uses public interface masquerade (enabled using GUI tool firewall-config).

localhost/loopback interface really has to be excluded from default/public zone (maybe placed in it's own zone?) by default.
And maybe this default-zone behavior when mixed with masquerade can affect also different scenarios not only localhost (maybe bridges etc...?).


LAN (eth0/em1 ifc) IP address replaced with 10.0.0.1 as example.



One example can be with squid as local proxy - all localhost connections get masked behind public ifc IP (IPv4 because rules did not applied to v6):

 root@psedlak-laptop root # lsof -i -n -P|grep squid
 squid     28508   squid    7u  IPv6 5534070      0t0  UDP *:35169 
 squid     28508   squid    8u  IPv4 5534071      0t0  UDP *:33060 
 squid     28508   squid   17u  IPv6 5534076      0t0  TCP *:3128 (LISTEN)

 root@psedlak-laptop root # strace -p 28508 -o /tmp/srv.log

 psedlak@psedlak-laptop 14:22:39 ~ $ strace -o /tmp/cli.log curl --proxy 'http://127.0.0.1:3128/' -I http://example.com

 psedlak@psedlak-laptop 14:34:09 ~ $ grep conn /tmp/cli.log 
 connect(3, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)

 root@psedlak-laptop root # grep acc /tmp/srv.log 
 accept(17, {sa_family=AF_INET6, sin6_port=htons(60280), inet_pton(AF_INET6, "::ffff:10.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 12



Other example can be checked with apache httpd:
 - yum install httpd ... and start
 - when accessed (browser/curl) via 127.0.0.1 or localhost (ipv6 disabled in this situation) like:
   curl http://127.0.0.1/
 - tail -n1 /var/log/httpd/access_log shows
   10.0.0.1 - - [12/Mar/2013:14:47:38 +0100] "GET / HTTP/1.1" 200 98 "-" "curl/7.27.0"



iptables nat table (without basic chain defs):
  root@psedlak-laptop root # iptables -t nat -S|grep -v "^-N"
  -P PREROUTING ACCEPT
  -P INPUT ACCEPT
  -P OUTPUT ACCEPT
  -P POSTROUTING ACCEPT
  -A PREROUTING -j PREROUTING_direct
  -A PREROUTING -j PREROUTING_ZONES
  -A OUTPUT -j OUTPUT_direct
  -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
  -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
  -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
  -A POSTROUTING -j POSTROUTING_direct
  -A POSTROUTING -j POSTROUTING_ZONES
  -A POSTROUTING_ZONES -o em1 -g POST_ZONE_public
  -A POSTROUTING_ZONES -g POST_ZONE_public
  -A POST_ZONE_external -j POST_ZONE_external_deny
  -A POST_ZONE_external -j POST_ZONE_external_allow
  -A POST_ZONE_public -j POST_ZONE_public_deny
  -A POST_ZONE_public -j POST_ZONE_public_allow
  -A POST_ZONE_public_allow -j MASQUERADE
  -A PREROUTING_ZONES -i em1 -g PRE_ZONE_public
  -A PREROUTING_ZONES -g PRE_ZONE_public
  -A PRE_ZONE_public -j PRE_ZONE_public_deny
  -A PRE_ZONE_public -j PRE_ZONE_public_allow

--- Additional comment from Fedora Update System on 2013-06-06 12:32:35 EDT ---

firewalld-0.3.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.3-1.fc19

--- Additional comment from Fedora Update System on 2013-06-07 11:40:31 EDT ---

Package firewalld-0.3.3-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.3-2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-10276/firewalld-0.3.3-2.fc19
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2013-06-08 23:29:41 EDT ---

firewalld-0.3.3-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Richard Keech on 2014-12-16 06:15:00 EST ---

I'm seeing this same problem with firewalld-0.3.12-1 on Fedora 20.

I find that with (minimally configured) firewalld stopped that amavisd and postfix can talk OK.  With firewalld started I get this error when an email arrives:

   amavis[1950]: (!)DENIED ACCESS from IP 1.2.3.4, policy bank ''

where 1.2.3.4 is the local address of eth0, which is the interface associated with the public zone of firewalld.

--- Additional comment from Richard Keech on 2015-01-06 23:49:10 EST ---

OK, a controlled experiment - with and without firewalld running to show this is still a problem.  Please re-open this bug.

In each case running:  telnet localhost 10024

with Fedora 20 and firewalld-0.3.13-1.fc20.noarch


Results 

With firwalld running the packets arriving at the loopback interface have the wrong source address!   

Case A. With firewalld running:

#tcpdump -i lo -n port 10024
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
14:44:25.946752 IP 172.17.23.7.53646 > 127.0.0.1.10024: Flags [S], seq 1388031163, win 43690, options [mss 65495,sackOK,TS val 195394207 ecr 0,nop,wscale 7], length 0
14:44:25.946881 IP 127.0.0.1.10024 > 127.0.0.1.53646: Flags [S.], seq 540729083, ack 1388031164, win 43690, options [mss 65495,sackOK,TS val 195394207 ecr 195394207,nop,wscale 7], length 0
14:44:25.947000 IP 172.17.23.7.53646 > 127.0.0.1.10024: Flags [.], ack 540729084, win 342, options [nop,nop,TS val 195394207 ecr 195394207], length 0
14:44:25.954890 IP 127.0.0.1.10024 > 127.0.0.1.53646: Flags [F.], seq 1, ack 1, win 342, options [nop,nop,TS val 195394215 ecr 195394207], length 0
14:44:25.955337 IP 172.17.23.7.53646 > 127.0.0.1.10024: Flags [.], ack 2, win 342, options [nop,nop,TS val 195394216 ecr 195394215], length 0
14:44:25.955515 IP 172.17.23.7.53646 > 127.0.0.1.10024: Flags [F.], seq 0, ack 2, win 342, options [nop,nop,TS val 195394216 ecr 195394215], length 0
14:44:25.955617 IP 127.0.0.1.10024 > 127.0.0.1.53646: Flags [.], ack 2, win 342, options [nop,nop,TS val 195394216 ecr 195394216], length 0


Case B. Without firewalld running:

#tcpdump -i lo -n port 10024
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
14:45:36.612992 IP 127.0.0.1.53650 > 127.0.0.1.10024: Flags [S], seq 430007585, win 43690, options [mss 65495,sackOK,TS val 195464873 ecr 0,nop,wscale 7], length 0
14:45:36.613025 IP 127.0.0.1.10024 > 127.0.0.1.53650: Flags [S.], seq 1893138336, ack 430007586, win 43690, options [mss 65495,sackOK,TS val 195464873 ecr 195464873,nop,wscale 7], length 0
14:45:36.613057 IP 127.0.0.1.53650 > 127.0.0.1.10024: Flags [.], ack 1, win 342, options [nop,nop,TS val 195464873 ecr 195464873], length 0
14:45:36.620274 IP 127.0.0.1.10024 > 127.0.0.1.53650: Flags [P.], seq 1:50, ack 1, win 342, options [nop,nop,TS val 195464880 ecr 195464873], length 49
14:45:36.620311 IP 127.0.0.1.53650 > 127.0.0.1.10024: Flags [.], ack 50, win 342, options [nop,nop,TS val 195464881 ecr 195464880], length 0
14:45:39.969409 IP 127.0.0.1.53650 > 127.0.0.1.10024: Flags [F.], seq 1, ack 50, win 342, options [nop,nop,TS val 195468230 ecr 195464880], length 0
14:45:39.970301 IP 127.0.0.1.10024 > 127.0.0.1.53650: Flags [.], ack 2, win 342, options [nop,nop,TS val 195468231 ecr 195468230], length 0
14:45:39.981311 IP 127.0.0.1.10024 > 127.0.0.1.53650: Flags [F.], seq 50, ack 2, win 342, options [nop,nop,TS val 195468241 ecr 195468230], length 0
14:45:39.981385 IP 127.0.0.1.53650 > 127.0.0.1.10024: Flags [.], ack 51, win 342, options [nop,nop,TS val 195468242 ecr 195468241], length 0



Firewall rules as follows:

 
# Generated by iptables-save v1.4.19.1 on Wed Jan  7 15:36:11 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
COMMIT
# Completed on Wed Jan  7 15:36:11 2015
# Generated by iptables-save v1.4.19.1 on Wed Jan  7 15:36:11 2015
*mangle
:PREROUTING ACCEPT [64:7396]
:INPUT ACCEPT [3:244]
:FORWARD ACCEPT [61:7152]
:OUTPUT ACCEPT [1:168]
:POSTROUTING ACCEPT [62:7320]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
COMMIT
# Completed on Wed Jan  7 15:36:11 2015
# Generated by iptables-save v1.4.19.1 on Wed Jan  7 15:36:11 2015
*security
:INPUT ACCEPT [3:244]
:FORWARD ACCEPT [70:7811]
:OUTPUT ACCEPT [1:168]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Jan  7 15:36:11 2015
# Generated by iptables-save v1.4.19.1 on Wed Jan  7 15:36:11 2015
*raw
:PREROUTING ACCEPT [76:8284]
:OUTPUT ACCEPT [1:168]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Jan  7 15:36:11 2015
# Generated by iptables-save v1.4.19.1 on Wed Jan  7 15:36:11 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
COMMIT

--- Additional comment from Jiri Popelka on 2015-01-13 12:40:42 EST ---

(In reply to Richard Keech from comment #27)
> OK, a controlled experiment - with and without firewalld running to show
> this is still a problem.  Please re-open this bug.

--- Additional comment from Perry Myers on 2015-03-20 22:14:52 EDT ---

fwiw, I am seeing the same behavior with similar iptables rules above.

If I have masquerading on in the Public (default) zone, and telnet from localhost to localhost, the packets are mangled to look like they are coming from the externally facing interface ip address vs. coming from 127.0.0.1

If I simply remove masquerading from the public/default zone, the problem goes away and the packets properly have source address 127.0.0.1

--- Additional comment from Fedora End Of Life on 2015-05-29 04:52:12 EDT ---

This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

--- Additional comment from Stuart Auchterlonie on 2015-06-18 05:13:13 EDT ---

Hi,

I'm seeing this still in fedora 22 with firewalld-0.3.14.1-1.fc22.noarch
amavisd is listening on 10024 to receive connections from postfix.

- with firewalld stopped and no iptables rules

# telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready

# systemctl start firewalld

# telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

- As a side note, it's not blocking ipv6 localhost connections

# telnet localhost 10024
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 [::1] ESMTP amavisd-new service ready

What info do you need from me? I can reproduce this at will

Regards
Stuart

--- Additional comment from Stuart Auchterlonie on 2015-06-18 05:27:27 EDT ---

I've discovered a way around this, provided you don't actually *need*
masquerading.

I had the default zone set to "external" which has the only service I want (ssh)
active, but also includes masquerading.

Changing the default zone to "dmz" removes the masquerading but leaves only ssh
active, which is what I want.


Regards
Stuart

--- Additional comment from Fedora Update System on 2016-02-04 10:41:27 EST ---

firewalld-0.4.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7

--- Additional comment from Fedora Update System on 2016-02-04 20:23:46 EST ---

firewalld-0.4.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7

--- Additional comment from Fedora Update System on 2016-02-08 08:29:17 EST ---

firewalld-0.4.0-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7

--- Additional comment from Fedora Update System on 2016-02-09 17:27:55 EST ---

firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7

--- Additional comment from Stuart Auchterlonie on 2016-02-19 09:42:31 EST ---

This update fixes the localhost masquerading issues for me

--- Additional comment from Fedora Update System on 2016-02-21 11:30:25 EST ---

firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Christopher Tubbs on 2016-03-12 01:53:49 EST ---

This bug seems to also affect RHEL/CentOS 7 with firewalld-0.3.9-14.el7.noarch
Can anybody else verify, or help me verify before I submit a bug against RHEL 7?

In my situation, I'm running openvpn on 443/tcp and used firewalld following the instructions at http://unix.stackexchange.com/a/149193/118916

In my output of `iptables -t nat -S`, I see:
-A POST_public_allow ! -i lo -j MASQUERADE

I have an open stackexchange issue related to this, if it's not the same bug and anybody has a workaround or other solution to suggest there: http://unix.stackexchange.com/q/269315/118916

--- Additional comment from Michal Bruncko on 2016-04-10 12:44:43 EDT ---

Same issue for me: 

reproducibility is pretty easy:

1. keep running ntpd service on system
2. enable masquerading on zone where public interface is located 
3. execute "ntpstat" or "ntptrace" 


results:

expected:

you will get response from ntpd 

current:

you will get "timeout" error.


As stated in #39, with enabled masquerading on active zone, following rule is added into nat table:

-A POST_public_allow ! -i lo -j MASQUERADE (which is a part of "POST_public_allow" chain)


but I think this is not correct - using input interface statement ("-i") for outgoing packets  makes no sense (basically input interface value of subjected "outgoing" packet is empty), example from -j LOG:

IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=604 TOS=0x00 PREC=0x00 TTL=64 ...

for NAT/masquerading within postrouting chain only "output interface" checks makes sense. and because all packets destined for localhost are destined to "lo" iterface, the masquerading rule should look like this:

-A POST_public_allow ! -o lo -j MASQUERADE


workaround looks like this (assume active zone "public"):

firewall-cmd --permanent --zone=public --remove-masquerade 
firewall-cmd --reload
firewall-cmd --direct --add-rule ipv4 nat POST_public_allow 0 ! -o lo -j MASQUERADE


@Jiri: shall I open new bugreport (I am interested for RHEL7) or can we reuse this existing one?

--- Additional comment from Paul Raines on 2016-04-11 16:31:03 EDT ---

Same issue for me in RHEL7/CentOS7.  As soon as I setup masquerading I noticed emails stopped working.  I looked in /var/log/maillog and postfix is seeing all localhost connections now as coming from the internal NAT-side IP and thus rejects routing them.  As soon as I turn off firewalld postfix is happy again as localhost smtp connections appear to come from localhost again.

--- Additional comment from Paul Raines on 2016-04-11 17:20:20 EDT ---

I also want to note that Michal's workaround does not work for me.  It solves the localhost issue but NAT/Masquerade stops working too.  Comparing iptable-saves it appears another rule involving "FWDO_external_allow 0 -j ACCEPT" needs to be added by --direct but I cannot figure out how to do it.

So I just setup masquerade with firewall-cmd again, used iptables-save to put the rules in a file, edited the POST_public_allow rule t change "-i lo" to "-o lo" and then loaded the file with iptables-restore.

Now masquerading works and the localhost problems disappears but of course the changes are lost when the machine reboots or firwwalld is reloaded and the localhost problem comes back.

Comment 1 Christopher Tubbs 2016-04-11 22:29:05 UTC

Cloned bug due to lots of continued comments about it affecting RHEL7, which looks like it's still using:

  firewalld-0.3.9-14.el7.noarch

Whereas the bug wasn't fixed until:

  firewalld-0.4.0-2.fc23

Comment 8 errata-xmlrpc 2016-11-03 21:02:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html

Note You need to log in before you can comment on or make changes to this bug.