Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-505

Allow RHEL8 firewalld 0.9.3 to accept established and related connections with reject/drop policies

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • rhel-8.9.0
    • None
    • firewalld
    • None
    • None
    • None
    • rhel-sst-networking-core
    • ssg_networking
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Linux
    • None

      Description of problem:

      Allow RHEL8 firewalld 0.9.3 to accept established and related connections with reject/drop policies

      Version-Release number of selected component (if applicable):

      firewalld 0.9.3

      How reproducible:

      1) You need to apply the following policy

      firewall-cmd --new-policy out --permanent
      firewall-cmd --set-target REJECT --policy out --permanent
      firewall-cmd --policy out --add-egress-zone ANY --permanent
      firewall-cmd --policy out --add-ingress-zone HOST --permanent

      2) then try to connect from a other machine via ssh , it should be blocked

      The case notes shows that the following line is missed on Redhat 8

      chain filter_OUTPUT {
      type filter hook output priority filter + 10; policy accept;
      ct state

      { established, related } accept <<-------------------- this is missing in RHEL 8.0!!!!!!!
      oifname "lo" accept
      ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
      jump filter_OUTPUT_POLICIES_pre
      jump filter_OUTPUT_POLICIES_post
      }



      3) After inserting the line manually, the problem is fix but we need to modify the firewalld code in order to place the rule from the begining


      Temporary fix
      # nft insert rule inet firewalld filter_OUTPUT 'ct state { established, related }

      accept'

      Actual results:

      The server is blocked after applying the policy

      Expected results:

      • All outgoing traffic should be blocked expect for the already established connections

      Additional info:

      We found the solution here

      https://github.com/firewalld/firewalld/pull/709/commits/4581f83ea51d55ec7929d8a81ff485918a10e34e

      On the case I left a note about the changes on the py scripts in order to fix the issue

      case : 03398728

              egarver Eric Garver
              rhn-support-rablanco Rangard Odin Blanco Prado
              Eric Garver Eric Garver
              qe-baseos-daemons qe-baseos-daemons
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: