What were you trying to do that didn't work?

I try to have a second firewalld zone besides public where ICMP would still work. The man firewall-cmd(1) says

       --permanent [--zone=zone] [--policy=policy] --set-target=target
           Set the target.

           For zones target is one of: default, ACCEPT, DROP, REJECT

           For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT

           default is similar to REJECT, but it implicitly allows ICMP packets..

However, the machine seems to stop to respond to ICMP echo if there was a delay since the last one of about 180 seconds. When I stop firewalld, things start to work again, that's why I believe it is related to firewalld. When I ping from the machine with the firewalld to that interface, it unblocks ICMP from the other machine as well.

Please provide the package NVR for which bug is seen:

firewalld-1.2.5-2.el9_3.noarch

How reproducible:

Deterministic.

Steps to reproduce

We will use two RHEL 9.3 machines connected through a GRE tunnel. On one of the machines (ROUTER) we will set up firewalld and configure the traffic from the GRE tunnel to land in firewalld zone dmz. We will then ping ROUTER from SERVER through the tunnel. It will work until it will not.

1. On the SERVER machine:
   1. Set the ROUTER's hostname to ROUTER environment variable.
   2. dnf install -y bind-utils
   3. nmcli connection add type ip-tunnel ip-tunnel.mode gre con-name gre1 ifname gre1 local $( dig +short -t a $HOSTNAME | head -1 ) remote $( dig +short -t a $ROUTER | head -1 )
   4. nmcli connection modify gre1 ipv4.addresses 192.168.69.1 ipv4.method manual +ipv4.routes '192.168.69.2/32'
   5. nmcli connection up gre1
   6. Check that ip route shows that 192.168.69.2 is routed through the tunnel, output should be something like:

      # ip route
      default via 10.16.59.254 dev ens2 proto dhcp src 10.16.56.142 metric 100 
      10.16.56.0/22 dev ens2 proto kernel scope link src 10.16.56.142 metric 100 
      192.168.69.2 dev gre1 proto static scope link metric 675 
      

2. On the ROUTER machine:
   1. Set the SERVER's hostname to SERVER environment variable.
   2. dnf install -y firewalld bind-utils
   3. systemctl enable --now firewalld
   4. nmcli connection add type ip-tunnel ip-tunnel.mode gre con-name gre1 ifname gre1 local $( dig +short -t a $HOSTNAME | head -1 ) remote $( dig +short -t a $SERVER | head -1 )
   5. nmcli connection modify gre1 ipv4.addresses 192.168.69.2 ipv4.method manual +ipv4.routes '192.168.69.1/32' connection.zone dmz
   6. nmcli connection up gre1
   7. Check the dmz zone and that the route to 192.168.69.1 goes through the tunnel and that we can ping the SERVER machine on its tunelled IP address:

      # firewall-cmd --info-zone=dmz
      dmz (active)
        target: default
        icmp-block-inversion: no
        interfaces: gre1
        sources: 
        services: ssh
        ports: 
        protocols: 
        forward: yes
        masquerade: no
        forward-ports: 
        source-ports: 
        icmp-blocks: 
        rich rules: 
      # ip route
      default via 10.16.59.254 dev ens2 proto dhcp src 10.16.56.43 metric 100 
      10.16.56.0/22 dev ens2 proto kernel scope link src 10.16.56.43 metric 100 
      192.168.69.1 dev gre1 proto static scope link metric 675 
      # ping -c 1 192.168.69.1
      PING 192.168.69.1 (192.168.69.1) 56(84) bytes of data.
      64 bytes from 192.168.69.1: icmp_seq=1 ttl=64 time=0.508 ms
      --- 192.168.69.1 ping statistics ---
      1 packets transmitted, 1 received, 0% packet loss, time 0ms
      rtt min/avg/max/mdev = 0.508/0.508/0.508/0.000 ms
      

3. On the SERVER machine:
   1. Test that it's possible to ping the ROUTER on its tunelled IP:

      # ping -c 1 192.168.69.2
      PING 192.168.69.2 (192.168.69.2) 56(84) bytes of data.
      64 bytes from 192.168.69.2: icmp_seq=1 ttl=64 time=0.615 ms
      --- 192.168.69.2 ping statistics ---
      1 packets transmitted, 1 received, 0% packet loss, time 0ms
      rtt min/avg/max/mdev = 0.615/0.615/0.615/0.000 ms
      

   2. Add a wait between pings:

      # for i in 1 170 180 190 200 ; do ( set -x ; sleep $i ) ; ping -c 1 192.168.69.2 || break ; done
      

Expected results

The ping from SERVER to ROUTER through the tunnel (and thus via the dmz zone with target: default) continues to work.

Actual results

After a 180 or 190 second sleep, ping no longer works:

+ sleep 1
PING 192.168.69.2 (192.168.69.2) 56(84) bytes of data.
64 bytes from 192.168.69.2: icmp_seq=1 ttl=64 time=0.618 ms
--- 192.168.69.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.618/0.618/0.618/0.000 ms
+ sleep 170
PING 192.168.69.2 (192.168.69.2) 56(84) bytes of data.
64 bytes from 192.168.69.2: icmp_seq=1 ttl=64 time=0.752 ms
--- 192.168.69.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.752/0.752/0.752/0.000 ms
+ sleep 180
PING 192.168.69.2 (192.168.69.2) 56(84) bytes of data.
64 bytes from 192.168.69.2: icmp_seq=1 ttl=64 time=0.696 ms
--- 192.168.69.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.696/0.696/0.696/0.000 ms
+ sleep 190
PING 192.168.69.2 (192.168.69.2) 56(84) bytes of data.
--- 192.168.69.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms