Red Hat Bugzilla – Bug 1452137
firewall-cmd: man page should mention that reload does not purge direct runtime rules
Last modified: 2018-04-10 06:31:38 EDT
When adding direct firewall rule to runtime, this does not get wiped on firewalld reload. Therefore custom admin user rules cannot be purged without restarting firewalld or removing rules one by one. (in our case puppet cannot get rid of any custom rules) Version:0.4.3.2-8.1.el7_3.2 Reproduction steps: 1. First we add direct rule into firewalld: # firewall-cmd --direct --add-rule ipv4 filter INPUT 120 -m state --state NEW -s 10.0.16.0/24 -m tcp -p tcp --dport 55555 -j ACCEPT 2. Check if the rule has been added correctly: # firewall-cmd --direct --get-all-rules | grep 55555 ipv4 filter INPUT 120 -m state --state NEW -s 10.0.16.0/24 -m tcp -p tcp --dport 55555 -j ACCEPT 3. Reload firewalld so only permanent rules should reapply # firewall-cmd --reload -OR- # systemctl reload firewalld -OR- # firewall-cmd --complete-reload 4. Check if the rule is still present: # firewall-cmd --direct --get-all-rules | grep 55555 ipv4 filter INPUT 120 -m state --state NEW -s 10.0.16.0/24 -m tcp -p tcp --dport 55555 -j ACCEPT - empty response was expected but the rule is still present. The rule is successfully removed only after restarting firewalld: # systemctl restart firewalld
firewalld is trying to keep runtime only direct rules while reloading to minimize the need to recreate rules added by services and applications.
There are multiple problems with this approach: 1. Is this documented somewhere? I have tried to find some mention of this in manpages, but was not successful. According them, everything, that is not in config should be purged after reload. 2. Even if this was true, firewalld should not retain rules put in runtime by itself. It should know, that the rule was not created by some service, but itself. Also we do not want other services to punch holes through firewall. That is why firewall is there in the first place. 3. So we are not able to purge unwanted direct rules via remote management at all. No switch? Only complete restart of firewalld?
(In reply to lubomir.prda from comment #4) > There are multiple problems with this approach: > > 1. Is this documented somewhere? I have tried to find some mention of this > in manpages, but was not successful. According them, everything, that is not > in config should be purged after reload. This caveat should probably be added to the man page under --reload/--complete-reload. I'll use this BZ as the work item for that. > > 2. Even if this was true, firewalld should not retain rules put in runtime > by itself. It should know, that the rule was not created by some service, > but itself. Also we do not want other services to punch holes through > firewall. That is why firewall is there in the first place. Only applications authenticated via policy kit can add direct rules. > > 3. So we are not able to purge unwanted direct rules via remote management > at all. No switch? Only complete restart of firewalld? You can remove all rules in a given chain. e.g. # firewall-cmd --direct --remove-rules ipv4 filter INPUT Or do something like this to remove direct all rules: # firewall-cmd --direct --get-all-rules |while read LINE; do firewall-cmd --direct --remove-rule $LINE; done
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0702