Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26522

podman-quadlet loads NAT rules that bypass firewall restrictions

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • rhel-9.2.0
    • firewalld
    • None
    • None
    • Moderate
    • rhel-sst-networking-core
    • ssg_networking
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Trying to filter who has access to port 9100 as opened by the podman-quadlet unit file.

      How reproducible:

      Steps to reproduce

      1. install a system with podman quadlet and firewalld
      2. ensure firewalld is using the public zone for the network interfaces
      3.  copy the attached unit file into /etc/container/systemd/
      4.  reboot system
      5. note port 9100 is not filtered out by the firewall

      Expected results

      port 9100 would be filtered out by the firewall

      Actual results

      the DNAT occurs before firewalld's rule set and as a result port 9100 is open to the world. 

       

              egarver Eric Garver
              rhn-support-npalanis Nandhika Palanisamy
              Eric Garver Eric Garver
              qe-baseos-daemons qe-baseos-daemons
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: