RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1609014 - firewall-cmd command in https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html is breaking firewalld functionality
Summary: firewall-cmd command in https://static.open-scap.org/ssg-guides/ssg-rhel7-gui...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.5
Hardware: All
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: Gabriel Gaspar Becker
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 1594286
TreeView+ depends on / blocked
 
Reported: 2018-07-26 18:05 UTC by mcolombo
Modified: 2023-12-15 16:07 UTC (History)
13 users (show)

Fixed In Version: scap-security-guide-0.1.49-1.el7
Doc Type: Bug Fix
Doc Text:
.`configure_firewalld_rate_limiting` now correctly rate-limits connections The `configure_firewalld_rate_limiting` rule, which protects the system from Denial of Service (DoS) attacks, previously configured the system to accept all traffic. With this update, the system correctly rate-limits connections after remediating this rule.
Clone Of:
Environment:
Last Closed: 2020-09-29 19:52:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3909 0 None None None 2020-09-29 19:52:34 UTC

Description mcolombo 2018-07-26 18:05:29 UTC 
Description of problem:
The below section causes all incoming traffic to be accepted.

Location in https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html  (Profile: DISA STIG )

     firewalld > Strengthen the Default Ruleset > Configure firewalld To Rate Limit Connections



Configure firewalld To Rate Limit Connections:
==============================================

Configure firewalld To Rate Limit Connections   [ref]rule

Create a direct firewall rule to protect against DoS attacks with the following command:

$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j ACCEPT

Rationale:

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.


Version-Release number of selected component (if applicable):
Current version: 0.1.40


How reproducible:
Every time


Steps to Reproduce:
1.# firewall-cmd --set-default-zone=drop
2.# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j ACCEPT
3.# firewall-cmd --reload


Actual results:
All traffic is accepted

Expected results:
Anything that is not explicitly open to be dropped

Additional info:

If the command is change to -j INPUT_ZONES in stead of -j ACCEPT the traffic is rate limited as expected and the packets are filtered by the zones as intended. 

     # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES

[root@firewalld ~]# firewall-cmd --perm --set-default-zone=drop
[root@firewalld ~]# firewall-cmd --perm --add-service=ssh
[root@firewalld ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES
[root@firewalld ~]firewall-cmd --reload
[root@firewalld ~]# nc -l 5255 &

[root@firewalld-client ~]# nc 10.12.214.19 5255
Ncat: Connection timed out.

[root@firewalld-client ~]# nc 10.12.214.19 22
SSH-2.0-OpenSSH_7.4

[root@firewalld ~]# iptables -vnxL 
----------------snip-------------------------
Chain INPUT_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       9      540 INPUT_ZONES  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 25/min burst 100


Chain INPUT_ZONES (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
     166    22758 IN_drop    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
       0        0 IN_drop    all  --  +      *       0.0.0.0/0            0.0.0.0/0     

Chain IN_drop (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
     166    22758 IN_drop_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     166    22758 IN_drop_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     166    22758 IN_drop_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     165    22698 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Chain IN_drop_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       1       60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW         




Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5842  412K IN_drop    all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_drop    all  --  +      *       0.0.0.0/0            0.0.0.0/0    

Chain IN_drop (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 5842  412K IN_drop_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5842  412K IN_drop_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5842  412K IN_drop_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1084  154K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Comment 2 Marek Haicman 2018-07-27 13:54:12 UTC 
Hello,
good catch, and I agree it's a problem. After further investigation, I would suggest to replace `-j ACCEPT` with `-j DROP` to follow the idea of the rule. (I.e. to help mitigate DoS attacks).

Little trouble is that what you found is issue in official DISA STIG for RHEL7. So it's nothing we can change easily (without having guidance differing from the offical). But we will reach out to DISA.
Comment 6 Marek Haicman 2018-07-27 16:07:56 UTC 
Ah, I realized now that limit works the other way around. So -j DROP is definitely not what we want :)
Comment 12 Matus Marhefka 2018-11-14 14:20:26 UTC 
Upstream issue: https://github.com/ComplianceAsCode/content/issues/3495
Comment 17 Watson Yuuma Sato 2019-08-15 17:36:45 UTC 
In STIG V2R3 rule RHEL-07-040510 has a different fixtext, that doesn't involve creating a firewall rule but uses sysctls for ratelimiting.

Fixtext:
Set the system to implement rate-limiting measures by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
net.ipv4.tcp_invalid_ratelimit = 500
Issue the following command to make the changes take 
# sysctl --system

linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml should be updated to reflect that.
Comment 19 Vojtech Polasek 2020-02-04 12:31:55 UTC 
Fixed upstream in
https://github.com/ComplianceAsCode/content/pull/5126
Comment 36 errata-xmlrpc 2020-09-29 19:52:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3909
Note You need to log in before you can comment on or make changes to this bug.