Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Issues related to configuring your network
User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by jlehtone » 2020/05/02 08:44:46

amarand wrote:
2020/05/01 22:41:58
Is it possible that these two redundancies could be created by the firewalld system itself?
I'm now on host that does not have internal or external zone in use. There is no masquerade and no routing. Lets play:

Code: Select all

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo nft list ruleset > base
$ sudo firewall-cmd --zone=internal --add-source=192.168.0.0/32
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo nft list ruleset > inter
$ sudo firewall-cmd --zone=external --add-source=192.168.1.0/32
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ sudo nft list ruleset > both
First note: Activating zone 'external' does immediately enable routing.

What did change? (I'll crop out unchanged parts.)
$ diff -y both base

Code: Select all

table inet firewalld {						table inet firewalld {
	ct helper helper-netbios-ns-udp {		      <
		type "netbios-ns" protocol udp		      <
							      <
		l3proto ip				      <
	}						      <
							      <
	chain raw_PREROUTING_ZONES_SOURCE {				chain raw_PREROUTING_ZONES_SOURCE {
		ip saddr 192.168.1.0 goto raw_PRE_external    <
		ip saddr 192.168.0.0 goto raw_PRE_internal    <
	}								}

	chain mangle_PREROUTING_ZONES_SOURCE {				chain mangle_PREROUTING_ZONES_SOURCE {
		ip saddr 192.168.1.0 goto mangle_PRE_external <
		ip saddr 192.168.0.0 goto mangle_PRE_internal <
	}								}

	chain filter_INPUT_ZONES_SOURCE {				chain filter_INPUT_ZONES_SOURCE {
		ip saddr 192.168.1.0 goto filter_IN_external  <
		ip saddr 192.168.0.0 goto filter_IN_internal  <
	}								}

	chain filter_FORWARD_IN_ZONES_SOURCE {				chain filter_FORWARD_IN_ZONES_SOURCE {
		ip saddr 192.168.1.0 goto filter_FWDI_externa <
		ip saddr 192.168.0.0 goto filter_FWDI_interna <
	}								}

	chain filter_FORWARD_OUT_ZONES_SOURCE {				chain filter_FORWARD_OUT_ZONES_SOURCE {
		ip daddr 192.168.1.0 goto filter_FWDO_externa <
		ip daddr 192.168.0.0 goto filter_FWDO_interna <
	}								}

							      <
	chain raw_PRE_internal {			      <
		jump raw_PRE_internal_pre		      <
		jump raw_PRE_internal_log		      <
		jump raw_PRE_internal_deny		      <
		jump raw_PRE_internal_allow		      <
		jump raw_PRE_internal_post		      <
	}						      <
							      <
	chain raw_PRE_internal_pre {			      <
	}						      <
							      <
	chain raw_PRE_internal_log {			      <
	}						      <
							      <
	chain raw_PRE_internal_deny {			      <
	}						      <
							      <
	chain raw_PRE_internal_allow {			      <
	}						      <
							      <
	chain raw_PRE_internal_post {			      <
	}						      <
							      <
	chain filter_IN_internal {			      <
		jump filter_IN_internal_pre		      <
		jump filter_IN_internal_log		      <
		jump filter_IN_internal_deny		      <
		jump filter_IN_internal_allow		      <
		jump filter_IN_internal_post		      <
		meta l4proto { icmp, ipv6-icmp } accept	      <
	}						      <
							      <
	chain filter_IN_internal_pre {			      <
	}						      <
							      <
	chain filter_IN_internal_log {			      <
	}						      <
							      <
	chain filter_IN_internal_deny {			      <
	}						      <
							      <
	chain filter_IN_internal_allow {		      <
		tcp dport ssh ct state new,untracked accept   <
		ip daddr 224.0.0.251 udp dport mdns ct state  <
		ip6 daddr ff02::fb udp dport mdns ct state ne <
		udp dport netbios-ns ct helper set "helper-ne <
		udp dport netbios-ns ct state new,untracked a <
		udp dport netbios-dgm ct state new,untracked  <
		ip6 daddr fe80::/64 udp dport dhcpv6-client c <
		tcp dport 9090 ct state new,untracked accept  <
	}						      <
							      <
	chain filter_IN_internal_post {			      <
	}						      <
							      <
	chain filter_FWDI_internal {			      <
		jump filter_FWDI_internal_pre		      <
		jump filter_FWDI_internal_log		      <
		jump filter_FWDI_internal_deny		      <
		jump filter_FWDI_internal_allow		      <
		jump filter_FWDI_internal_post		      <
		meta l4proto { icmp, ipv6-icmp } accept	      <
	}						      <
							      <
	chain filter_FWDI_internal_pre {		      <
	}						      <
							      <
	chain filter_FWDI_internal_log {		      <
	}						      <
							      <
	chain filter_FWDI_internal_deny {		      <
	}						      <
							      <
	chain filter_FWDI_internal_allow {		      <
	}						      <
							      <
	chain filter_FWDI_internal_post {		      <
	}						      <
							      <
	chain mangle_PRE_internal {			      <
		jump mangle_PRE_internal_pre		      <
		jump mangle_PRE_internal_log		      <
		jump mangle_PRE_internal_deny		      <
		jump mangle_PRE_internal_allow		      <
		jump mangle_PRE_internal_post		      <
	}						      <
							      <
	chain mangle_PRE_internal_pre {			      <
	}						      <
							      <
	chain mangle_PRE_internal_log {			      <
	}						      <
							      <
	chain mangle_PRE_internal_deny {		      <
	}						      <
							      <
	chain mangle_PRE_internal_allow {		      <
	}						      <
							      <
	chain mangle_PRE_internal_post {		      <
	}						      <
							      <
	chain filter_FWDO_internal {			      <
		jump filter_FWDO_internal_pre		      <
		jump filter_FWDO_internal_log		      <
		jump filter_FWDO_internal_deny		      <
		jump filter_FWDO_internal_allow		      <
		jump filter_FWDO_internal_post		      <
	}						      <
							      <
	chain filter_FWDO_internal_pre {		      <
	}						      <
							      <
	chain filter_FWDO_internal_log {		      <
	}						      <
							      <
	chain filter_FWDO_internal_deny {		      <
	}						      <
							      <
	chain filter_FWDO_internal_allow {		      <
	}						      <
							      <
	chain filter_FWDO_internal_post {		      <
	}						      <
							      <
	chain raw_PRE_external {			      <
		jump raw_PRE_external_pre		      <
		jump raw_PRE_external_log		      <
		jump raw_PRE_external_deny		      <
		jump raw_PRE_external_allow		      <
		jump raw_PRE_external_post		      <
	}						      <
							      <
	chain raw_PRE_external_pre {			      <
	}						      <
							      <
	chain raw_PRE_external_log {			      <
	}						      <
							      <
	chain raw_PRE_external_deny {			      <
	}						      <
							      <
	chain raw_PRE_external_allow {			      <
	}						      <
							      <
	chain raw_PRE_external_post {			      <
	}						      <
							      <
	chain filter_IN_external {			      <
		jump filter_IN_external_pre		      <
		jump filter_IN_external_log		      <
		jump filter_IN_external_deny		      <
		jump filter_IN_external_allow		      <
		jump filter_IN_external_post		      <
		meta l4proto { icmp, ipv6-icmp } accept	      <
	}						      <
							      <
	chain filter_IN_external_pre {			      <
	}						      <
							      <
	chain filter_IN_external_log {			      <
	}						      <
							      <
	chain filter_IN_external_deny {			      <
	}						      <
							      <
	chain filter_IN_external_allow {		      <
		tcp dport ssh ct state new,untracked accept   <
	}						      <
							      <
	chain filter_IN_external_post {			      <
	}						      <
							      <
	chain filter_FWDO_external {			      <
		jump filter_FWDO_external_pre		      <
		jump filter_FWDO_external_log		      <
		jump filter_FWDO_external_deny		      <
		jump filter_FWDO_external_allow		      <
		jump filter_FWDO_external_post		      <
	}						      <
							      <
	chain filter_FWDO_external_pre {		      <
	}						      <
							      <
	chain filter_FWDO_external_log {		      <
	}						      <
							      <
	chain filter_FWDO_external_deny {		      <
	}						      <
							      <
	chain filter_FWDO_external_allow {		      <
		ct state new,untracked accept		      <
	}						      <
							      <
	chain filter_FWDO_external_post {		      <
	}						      <
							      <
	chain filter_FWDI_external {			      <
		jump filter_FWDI_external_pre		      <
		jump filter_FWDI_external_log		      <
		jump filter_FWDI_external_deny		      <
		jump filter_FWDI_external_allow		      <
		jump filter_FWDI_external_post		      <
		meta l4proto { icmp, ipv6-icmp } accept	      <
	}						      <
							      <
	chain filter_FWDI_external_pre {		      <
	}						      <
							      <
	chain filter_FWDI_external_log {		      <
	}						      <
							      <
	chain filter_FWDI_external_deny {		      <
	}						      <
							      <
	chain filter_FWDI_external_allow {		      <
	}						      <
							      <
	chain filter_FWDI_external_post {		      <
	}						      <
							      <
	chain mangle_PRE_external {			      <
		jump mangle_PRE_external_pre		      <
		jump mangle_PRE_external_log		      <
		jump mangle_PRE_external_deny		      <
		jump mangle_PRE_external_allow		      <
		jump mangle_PRE_external_post		      <
	}						      <
							      <
	chain mangle_PRE_external_pre {			      <
	}						      <
							      <
	chain mangle_PRE_external_log {			      <
	}						      <
							      <
	chain mangle_PRE_external_deny {		      <
	}						      <
							      <
	chain mangle_PRE_external_allow {		      <
	}						      <
							      <
	chain mangle_PRE_external_post {		      <
	}						      <
}								}

table ip firewalld {						table ip firewalld {
	chain nat_PREROUTING_ZONES_SOURCE {				chain nat_PREROUTING_ZONES_SOURCE {
		ip saddr 192.168.1.0 goto nat_PRE_external    <
		ip saddr 192.168.0.0 goto nat_PRE_internal    <
	}								}

	chain nat_POSTROUTING_ZONES_SOURCE {				chain nat_POSTROUTING_ZONES_SOURCE {
		ip daddr 192.168.1.0 goto nat_POST_external   <
		ip daddr 192.168.0.0 goto nat_POST_internal   <
	}								}
							      <
	chain nat_PRE_internal {			      <
		jump nat_PRE_internal_pre		      <
		jump nat_PRE_internal_log		      <
		jump nat_PRE_internal_deny		      <
		jump nat_PRE_internal_allow		      <
		jump nat_PRE_internal_post		      <
	}						      <
							      <
	chain nat_PRE_internal_pre {			      <
	}						      <
							      <
	chain nat_PRE_internal_log {			      <
	}						      <
							      <
	chain nat_PRE_internal_deny {			      <
	}						      <
							      <
	chain nat_PRE_internal_allow {			      <
	}						      <
							      <
	chain nat_PRE_internal_post {			      <
	}						      <
							      <
	chain nat_POST_internal {			      <
		jump nat_POST_internal_pre		      <
		jump nat_POST_internal_log		      <
		jump nat_POST_internal_deny		      <
		jump nat_POST_internal_allow		      <
		jump nat_POST_internal_post		      <
	}						      <
							      <
	chain nat_POST_internal_pre {			      <
	}						      <
							      <
	chain nat_POST_internal_log {			      <
	}						      <
							      <
	chain nat_POST_internal_deny {			      <
	}						      <
							      <
	chain nat_POST_internal_allow {			      <
	}						      <
							      <
	chain nat_POST_internal_post {			      <
	}						      <
							      <
	chain nat_POST_external {			      <
		jump nat_POST_external_pre		      <
		jump nat_POST_external_log		      <
		jump nat_POST_external_deny		      <
		jump nat_POST_external_allow		      <
		jump nat_POST_external_post		      <
	}						      <
							      <
	chain nat_POST_external_pre {			      <
	}						      <
							      <
	chain nat_POST_external_log {			      <
	}						      <
							      <
	chain nat_POST_external_deny {			      <
	}						      <
							      <
	chain nat_POST_external_allow {			      <
		oifname != "lo" masquerade		      <
	}						      <
							      <
	chain nat_POST_external_post {			      <
	}						      <
							      <
	chain nat_PRE_external {			      <
		jump nat_PRE_external_pre		      <
		jump nat_PRE_external_log		      <
		jump nat_PRE_external_deny		      <
		jump nat_PRE_external_allow		      <
		jump nat_PRE_external_post		      <
	}						      <
							      <
	chain nat_PRE_external_pre {			      <
	}						      <
							      <
	chain nat_PRE_external_log {			      <
	}						      <
							      <
	chain nat_PRE_external_deny {			      <
	}						      <
							      <
	chain nat_PRE_external_allow {			      <
	}						      <
							      <
	chain nat_PRE_external_post {			      <
	}						      <
}								}
1. Changes are in "table inet firewalld", "table ip firewalld", and "table ip6 firewalld".
I did crop the ip6 table as well, because while chains were added, they are not referenced. (IPv4 source does not affect IPv6 traffic.)

2. There is only one masquerade (for IPv4), in chain nat_POST_external_allow of table ip firewalld.
Therefore, firewalld does not create redundancies by itself. You must have created them with direct rules.

3. The effective FORWARD filter for outbound traffic is:

Code: Select all

ct state established,related accept ##
ct status dnat accept
iifname "lo" accept
meta l4proto { icmp, ipv6-icmp } accept ##
ct state new,untracked accept ##
ct state invalid drop
reject with icmpx type admin-prohibited
4. The effective FORWARD filter for inbound traffic is:

Code: Select all

ct state established,related accept ##
ct status dnat accept
iifname "lo" accept
meta l4proto { icmp, ipv6-icmp } accept ##
ct state invalid drop
reject with icmpx type admin-prohibited
5. The ports that firewall allows are all about access to services on this CentOS host and not at all about routing through it. Do you really serve your LAN with all those services from this host that is also the router?

All that looks logical. What else have you done?

Direct rules are not in any zone, but can be listed (except some passthroughs):

Code: Select all

sudo firewall-cmd --permanent --direct --get-all-chains
sudo firewall-cmd --permanent --direct --get-all-rules
sudo firewall-cmd --permanent --direct --get-all-passthroughs
I would remove all direct rules.

You have changed targets of zones:

Code: Select all

external (active)
target: %%REJECT%%

internal (active)
target: ACCEPT
The novel and customized zone configs are stored in /etc/firewalld/zones/
You can make backup of those. Then remove and start from scratch, if needed. (I would.)

I would also have first "ssh http https imap imaps smtp smtps" on the 'external' (and no rich rule). Then:

Code: Select all

sudo firewall-cmd --permanent --new-zone-from-file=/etc/firewalld/zones/external.xml --name=friends
sudo firewall-cmd --permanent --zone=friends --add-source=205.166.94.0/24
sudo firewall-cmd --permanent --zone=external --remove-service=ssh
sudo firewall-cmd --reload
I do primarily read man firewall-cmd and observe with iptables/nft what my commands actually change.
Red Hat does describe the use of firewalld in RHEL online documentation, but that does not add much after man pages.

[edit] Realized that masquerade on source-only-based zone might be bad. Hence:

Code: Select all

sudo firewall-cmd --permanent --zone=friends --remove-masquerade

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/02 12:20:16

jlehtone wrote:
2020/05/02 08:44:46
I'm now on host that does not have internal or external zone in use. There is no masquerade and no routing. Lets play:

Code: Select all

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo nft list ruleset > base
$ sudo firewall-cmd --zone=internal --add-source=192.168.0.0/32
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo nft list ruleset > inter
$ sudo firewall-cmd --zone=external --add-source=192.168.1.0/32
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ sudo nft list ruleset > both
First note: Activating zone 'external' does immediately enable routing.
I noticed that, in your example, you have internal with an add-source of 192.168.0.0 with a CIDR of 32, which is a single address? Same with external.

So in my example, would I be using: --add-source=192.168.1.0/24 (to cover the internal class-C?)
Also, in my example, I have an "external" network that consists of the Internet, but the -add-source line would be the following?

--add-source=65.64.63.62/32 (the public, statically-assigned IP address of the server on the outside?)

I do realize that your code was more of a "start from scratch and play to see what changes." Which is cool.

On my end, I'm trying to think of the safest way to configure my system in advance, with all of the commands laid out in a Notepad++ window, each command explained (with my own notes), so that when it's time to start from scratch, there's only a minute or two where I'm potentially exposed/broken, if that makes any sense?

Okay, so, a few questions about your sections/questions:

5a) Internal ports: You're right, I went in, one night, when I was frustrated with how return packets were being blocked, and just went down the list in firewall-config and enabled all of the ports. I didn't realize enabling these ports were simply allowing traffic TO the server, not THROUGH the server. So that was my mistake. I actually thought I'd reverted the firewall directory to my backup directory, then re-loaded the firewall, but...I guess that didn't happen?

5b) I really don't know what a "direct rule" is. I should probably go read about them. But to the best of my knowledge, I didn't add them directly. I wonder if some process of converting from the CentOS 7 firewall system to the CentOS 8 firewall system carried over some artifacts?

5c) I do like the idea of backing up the /etc/firewalld directory (already done, multiple times, with different dates and notes, which I created after shutting down firewalld, making a tar-to-tar backup, and then restarting firewalld), erasing everything and starting from scratch. Is the best way of "starting from scratch" just removing everything in /etc/firewalld, and then running the basic set of commands you outlined in your post?

Ahh, yes, the "friend-zone." So if we have a zone called external (which we should, if we're doing a NAT'd firewall/router situation), and we allow sshd, everyone on the outside can access the sshd port on the server, which is not the desired behavior. But if I remove sshd from external, and then create a zone called friends (copied from external), and then add the source class-C shown, I can then add the service to friends? That will allow sshd only from the friends network?

Also, I noticed that you removed masquerade from friends in the end. Is that based on the fact that you copied friends from external, and external had masquerade enabled? Ahh yes, that makes sense, because the external -should- have masquerade enabled in a NAT'd environment, but the zone friends should not, so we remove that.

So many questions, sorry, but I can say that I like the idea of starting clean, and the router/firewall is working well enough right now that I can take a little time to plan the commands I want to run, put them in a text editor window on the server itself, so I can just run the commands from there, just in case fiddling with firewalld/nat/masquerade throws my SSH connection off.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by jlehtone » 2020/05/02 14:34:45

amarand wrote:
2020/05/02 12:20:16
I noticed that, in your example, you have internal with an add-source of 192.168.0.0 with a CIDR of 32, which is a single address? Same with external.

So in my example, would I be using: --add-source=192.168.1.0/24 (to cover the internal class-C?)
Also, in my example, I have an "external" network that consists of the Internet, but the -add-source line would be the following?

--add-source=65.64.63.62/32 (the public, statically-assigned IP address of the server on the outside?)

I do realize that your code was more of a "start from scratch and play to see what changes." Which is cool.
I did use '--add-source', because I don't have extra interfaces to play with. I did use bogus single addresses that I know that my machine will not encounter. Safe play is important.

You have interfaces for both 'internal' and 'external. No need to use '--add-source' there.
I do recommend '--zone=friends --add-source=205.166.94.0/24' to direct traffic that comes from 205.166.94.0/24 through zone "friends" that allows ssh (and other services).
amarand wrote:
2020/05/02 12:20:16
On my end, I'm trying to think of the safest way to configure my system in advance, with all of the commands laid out in a Notepad++ window, each command explained (with my own notes), so that when it's time to start from scratch, there's only a minute or two where I'm potentially exposed/broken, if that makes any sense?
Yes. Note though that firewalld has "active" and "stored" configuration.
By default, you update the active config that is only in memory.
With option "--permanent" the commands change the stored config that is in files.
'firewall-cmd --reload' loads active from stored more or less atomically. There is also '--runtime-to-permanent' to write active to stored.

Many commands that update the active config do have option '--timeout=timeval'. With you can add a rule that is removed after timeval. That allows adding potentially blocking rules. If the rule indeed blocks you out (not intended), then you can log back in after timeout. If the rule does not block, then you dare to make it more permanent.
amarand wrote:
2020/05/02 12:20:16
5b) I really don't know what a "direct rule" is. I should probably go read about them. But to the best of my knowledge, I didn't add them directly. I wonder if some process of converting from the CentOS 7 firewall system to the CentOS 8 firewall system carried over some artifacts?
The firewall-cmd commands that have option '--direct' are "direct rules".
man firewall-cmd has section "Direct Options".
amarand wrote:
2020/05/02 12:20:16
5c) I do like the idea of backing up the /etc/firewalld directory (already done, multiple times, with different dates and notes, which I created after shutting down firewalld, making a tar-to-tar backup, and then restarting firewalld), erasing everything and starting from scratch. Is the best way of "starting from scratch" just removing everything in /etc/firewalld, and then running the basic set of commands you outlined in your post?
amarand wrote:
2020/05/02 12:20:16
Ahh, yes, the "friend-zone." So if we have a zone called external (which we should, if we're doing a NAT'd firewall/router situation), and we allow sshd, everyone on the outside can access the sshd port on the server, which is not the desired behavior. But if I remove sshd from external, and then create a zone called friends (copied from external), and then add the source class-C shown, I can then add the service to friends? That will allow sshd only from the friends network?
Note: classes are out of fashion. You can use classless prefixes.
The think is that for INPUT, the logic should/will be:

Code: Select all

IF a reply THEN allow
ELSE
    IF from 205.166.94.0/24 THEN use rules of friends (that allow ssh)
    ELSE IF iifname is enp3s0 THEN use rules of external
    ELSE IF iifname is enp2s0 THEN use rules of internal (that allow ssh)
    ELSE use rules of public (nothing should hit this default)
The source has higher priority. If packet is from 205.166.94.0/24, then we completely ignore which interface it came from.
However, from network layout we know that those packets do come from enp3s0.
Therefore, for packets that come from "outside", the logic is:

Code: Select all

IF from 205.166.94.0/24 THEN use rules of friends
ELSE use rules of external
amarand wrote:
2020/05/02 12:20:16
Also, I noticed that you removed masquerade from friends in the end. Is that based on the fact that you copied friends from external, and external had masquerade enabled? Ahh yes, that makes sense, because the external -should- have masquerade enabled in a NAT'd environment, but the zone friends should not, so we remove that.
Frankly, I'm not sure whether 'friends' should have masquerade or not. Masquerade (aka sNAT) is meaningful only for routed traffic, i.e. when a client in 192.168.1.0/24 connects someone in 205.166.94.0/24, then this router should rewrite source to 65.64.63.62 so that fellow in 205.166.94.0/24 knows to send the reply back to this router.
If that fellow does 'ssh 65.64.63.62', then this host does send replies with source 65.64.63.62 by default.

kauer
Posts: 16
Joined: 2020/05/03 07:47:30

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by kauer » 2020/05/03 13:32:15

Oh man, I feel your pain :-)

On the up side, this thread has been really helpful, my thanks to all contributors!

Maybe someone could confirm or deny this: Is it not possible to simply install iptables (the real iptables]) and go back to the good old days?

Regards, K.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by TrevorH » 2020/05/03 13:37:50

The only iptables in CentOS/RHEL 8 is the wrapper round nftables. If you don't install firewalld at all and install the iptables/iptables-services/iptables-libs packages then it's possible to set it up so it looks like iptables but isn't. Some of that emulation is not complete so if you attempt complex things, it may not work the same way as real iptables (or even at all).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 15:52:04

jlehtone wrote:
2020/05/02 14:34:45
You have interfaces for both 'internal' and 'external. No need to use '--add-source' there.
I do recommend '--zone=friends --add-source=205.166.94.0/24' to direct traffic that comes from 205.166.94.0/24 through zone "friends" that allows ssh (and other services).
Okay, so, this morning, I just got up and started.

After making sure I had a full backup of the /etc/firewalld directory, I uninstalled firewalld, then removed that directory.

I then installed firewalld from scratch (using dnf install firewalld).

I ran the following commands:

Code: Select all

nft add table nat
nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule nat postrouting ip saddr 192.168.1.0/24 oif enp3s0 snat 65.64.63.62

firewall-cmd --get-active-zones
  external
    interfaces: enp3s0
  internal
    interfaces: enp2s0

firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

firewall-cmd --list-all --zone=internal
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

sysctl net.ipv4.ip_forward
  net.ipv4.ip_forward = 1
Did a restart of the system itself. Both the nftables and firewalld service are running:

Code: Select all

systemctl status nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2020-05-03 11:16:20 EDT; 19min ago
     Docs: man:nft(8)
 Main PID: 1820 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 26213)
   Memory: 0B
   CGroup: /system.slice/nftables.service

May 03 11:16:20 home systemd[1]: Starting Netfilter Tables...
May 03 11:16:20 home systemd[1]: Started Netfilter Tables.
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-05-03 11:22:55 EDT; 12min ago
     Docs: man:firewalld(1)
 Main PID: 10786 (firewalld)
    Tasks: 2 (limit: 26213)
   Memory: 29.3M
   CGroup: /system.slice/firewalld.service
           └─10786 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

May 03 11:22:54 home systemd[1]: Starting firewalld - dynamic firewall daemon...
May 03 11:22:55 home systemd[1]: Started firewalld - dynamic firewall daemon.
I have my nftables firewall configured the way we discussed, I think?

Code: Select all

nft list ruleset
table bridge filter {
        chain input {
                type filter hook input priority -200; policy accept;
        }

        chain forward {
                type filter hook forward priority -200; policy accept;
        }

        chain output {
                type filter hook output priority 200; policy accept;
        }

        chain INPUT {
                type filter hook input priority -200; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -200; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -200; policy accept;
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip mangle {
        chain output {
                type route hook output priority -150; policy accept;
        }
}
table ip nat {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
        }

        chain input {
                type nat hook input priority 100; policy accept;
        }

        chain output {
                type nat hook output priority -100; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ip saddr 192.168.1.0/24 oif "enp3s0" snat to 65.64.63.62
                masquerade
        }
}
table ip6 filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip6 mangle {
        chain output {
                type route hook output priority -150; policy accept;
        }
}
table ip6 nat {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
        }

        chain input {
                type nat hook input priority 100; policy accept;
        }

        chain output {
                type nat hook output priority -100; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
        }
}
table ip security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
table ip6 security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
table ip6 raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 100; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority 300; policy accept;
        }
}
table inet firewalld {
        ct helper helper-netbios-ns-udp {
                type "netbios-ns" protocol udp

                l3proto ip
        }

        chain raw_PREROUTING {
                type filter hook prerouting priority -290; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
                jump raw_PREROUTING_ZONES
        }

        chain raw_PREROUTING_ZONES {
                iifname "enp3s0" goto raw_PRE_external
                iifname "enp2s0" goto raw_PRE_internal
                goto raw_PRE_public
        }

        chain mangle_PREROUTING {
                type filter hook prerouting priority -140; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_ZONES {
                iifname "enp3s0" goto mangle_PRE_external
                iifname "enp2s0" goto mangle_PRE_internal
                goto mangle_PRE_public
        }

        chain filter_INPUT {
                type filter hook input priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
                jump filter_FORWARD_IN_ZONES
                jump filter_FORWARD_OUT_ZONES
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority 10; policy accept;
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
        }

        chain filter_INPUT_ZONES {
                iifname "enp3s0" goto filter_IN_external
                iifname "enp2s0" goto filter_IN_internal
                goto filter_IN_public
        }

        chain filter_FORWARD_IN_ZONES {
                iifname "enp3s0" goto filter_FWDI_external
                iifname "enp2s0" goto filter_FWDI_internal
                goto filter_FWDI_public
        }

        chain filter_FORWARD_OUT_ZONES {
                oifname "enp3s0" goto filter_FWDO_external
                oifname "enp2s0" goto filter_FWDO_internal
                goto filter_FWDO_public
        }

        chain raw_PRE_public {
                jump raw_PRE_public_pre
                jump raw_PRE_public_log
                jump raw_PRE_public_deny
                jump raw_PRE_public_allow
                jump raw_PRE_public_post
        }

        chain raw_PRE_public_pre {
        }

        chain raw_PRE_public_log {
        }

        chain raw_PRE_public_deny {
        }

        chain raw_PRE_public_allow {
        }

        chain raw_PRE_public_post {
        }

        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
        }

        chain filter_IN_public_allow {
                tcp dport ssh ct state new,untracked accept
                ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
                tcp dport 9090 ct state new,untracked accept
        }

        chain filter_IN_public_post {
        }

        chain filter_FWDI_public {
                jump filter_FWDI_public_pre
                jump filter_FWDI_public_log
                jump filter_FWDI_public_deny
                jump filter_FWDI_public_allow
                jump filter_FWDI_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_public_pre {
        }

        chain filter_FWDI_public_log {
        }

        chain filter_FWDI_public_deny {
        }

        chain filter_FWDI_public_allow {
        }

        chain filter_FWDI_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }

        chain filter_FWDO_public {
                jump filter_FWDO_public_pre
                jump filter_FWDO_public_log
                jump filter_FWDO_public_deny
                jump filter_FWDO_public_allow
                jump filter_FWDO_public_post
        }

        chain filter_FWDO_public_pre {
        }

        chain filter_FWDO_public_log {
        }

        chain filter_FWDO_public_deny {
        }

        chain filter_FWDO_public_allow {
        }

        chain filter_FWDO_public_post {
        }

        chain raw_PRE_internal {
                jump raw_PRE_internal_pre
                jump raw_PRE_internal_log
                jump raw_PRE_internal_deny
                jump raw_PRE_internal_allow
                jump raw_PRE_internal_post
        }

        chain raw_PRE_internal_pre {
        }

        chain raw_PRE_internal_log {
        }

        chain raw_PRE_internal_deny {
        }

        chain raw_PRE_internal_allow {
        }

        chain raw_PRE_internal_post {
        }

        chain filter_IN_internal {
                jump filter_IN_internal_pre
                jump filter_IN_internal_log
                jump filter_IN_internal_deny
                jump filter_IN_internal_allow
                jump filter_IN_internal_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_internal_pre {
        }

        chain filter_IN_internal_log {
        }

        chain filter_IN_internal_deny {
        }

        chain filter_IN_internal_allow {
                tcp dport ssh ct state new,untracked accept
                ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
                ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
                udp dport netbios-ns ct helper set "helper-netbios-ns-udp"
                udp dport netbios-ns ct state new,untracked accept
                udp dport netbios-dgm ct state new,untracked accept
                ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
                tcp dport 9090 ct state new,untracked accept
        }

        chain filter_IN_internal_post {
        }

        chain filter_FWDI_internal {
                jump filter_FWDI_internal_pre
                jump filter_FWDI_internal_log
                jump filter_FWDI_internal_deny
                jump filter_FWDI_internal_allow
                jump filter_FWDI_internal_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_internal_pre {
        }

        chain filter_FWDI_internal_log {
        }

        chain filter_FWDI_internal_deny {
        }

        chain filter_FWDI_internal_allow {
        }

        chain filter_FWDI_internal_post {
        }

        chain mangle_PRE_internal {
                jump mangle_PRE_internal_pre
                jump mangle_PRE_internal_log
                jump mangle_PRE_internal_deny
                jump mangle_PRE_internal_allow
                jump mangle_PRE_internal_post
        }

        chain mangle_PRE_internal_pre {
        }

        chain mangle_PRE_internal_log {
        }

        chain mangle_PRE_internal_deny {
        }

        chain mangle_PRE_internal_allow {
        }

        chain mangle_PRE_internal_post {
        }

        chain filter_FWDO_internal {
                jump filter_FWDO_internal_pre
                jump filter_FWDO_internal_log
                jump filter_FWDO_internal_deny
                jump filter_FWDO_internal_allow
                jump filter_FWDO_internal_post
        }

        chain filter_FWDO_internal_pre {
        }

        chain filter_FWDO_internal_log {
        }

        chain filter_FWDO_internal_deny {
        }

        chain filter_FWDO_internal_allow {
        }

        chain filter_FWDO_internal_post {
        }

        chain raw_PRE_external {
                jump raw_PRE_external_pre
                jump raw_PRE_external_log
                jump raw_PRE_external_deny
                jump raw_PRE_external_allow
                jump raw_PRE_external_post
        }

        chain raw_PRE_external_pre {
        }

        chain raw_PRE_external_log {
        }

        chain raw_PRE_external_deny {
        }

        chain raw_PRE_external_allow {
        }

        chain raw_PRE_external_post {
        }

        chain filter_IN_external {
                jump filter_IN_external_pre
                jump filter_IN_external_log
                jump filter_IN_external_deny
                jump filter_IN_external_allow
                jump filter_IN_external_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_external_pre {
        }

        chain filter_IN_external_log {
        }

        chain filter_IN_external_deny {
        }

        chain filter_IN_external_allow {
                tcp dport ssh ct state new,untracked accept
        }

        chain filter_IN_external_post {
        }

        chain filter_FWDO_external {
                jump filter_FWDO_external_pre
                jump filter_FWDO_external_log
                jump filter_FWDO_external_deny
                jump filter_FWDO_external_allow
                jump filter_FWDO_external_post
        }

        chain filter_FWDO_external_pre {
        }

        chain filter_FWDO_external_log {
        }

        chain filter_FWDO_external_deny {
        }

        chain filter_FWDO_external_allow {
                ct state new,untracked accept
        }

        chain filter_FWDO_external_post {
        }

        chain filter_FWDI_external {
                jump filter_FWDI_external_pre
                jump filter_FWDI_external_log
                jump filter_FWDI_external_deny
                jump filter_FWDI_external_allow
                jump filter_FWDI_external_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_external_pre {
        }

        chain filter_FWDI_external_log {
        }

        chain filter_FWDI_external_deny {
        }

        chain filter_FWDI_external_allow {
        }

        chain filter_FWDI_external_post {
        }

        chain mangle_PRE_external {
                jump mangle_PRE_external_pre
                jump mangle_PRE_external_log
                jump mangle_PRE_external_deny
                jump mangle_PRE_external_allow
                jump mangle_PRE_external_post
        }

        chain mangle_PRE_external_pre {
        }

        chain mangle_PRE_external_log {
        }

        chain mangle_PRE_external_deny {
        }

        chain mangle_PRE_external_allow {
        }

        chain mangle_PRE_external_post {
        }
}
table ip firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority -90; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp3s0" goto nat_PRE_external
                iifname "enp2s0" goto nat_PRE_internal
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp3s0" goto nat_POST_external
                oifname "enp2s0" goto nat_POST_internal
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_PRE_internal {
                jump nat_PRE_internal_pre
                jump nat_PRE_internal_log
                jump nat_PRE_internal_deny
                jump nat_PRE_internal_allow
                jump nat_PRE_internal_post
        }

        chain nat_PRE_internal_pre {
        }

        chain nat_PRE_internal_log {
        }

        chain nat_PRE_internal_deny {
        }

        chain nat_PRE_internal_allow {
        }

        chain nat_PRE_internal_post {
        }

        chain nat_POST_internal {
                jump nat_POST_internal_pre
                jump nat_POST_internal_log
                jump nat_POST_internal_deny
                jump nat_POST_internal_allow
                jump nat_POST_internal_post
        }

        chain nat_POST_internal_pre {
        }

        chain nat_POST_internal_log {
        }

        chain nat_POST_internal_deny {
        }

        chain nat_POST_internal_allow {
        }

        chain nat_POST_internal_post {
        }

        chain nat_POST_external {
                jump nat_POST_external_pre
                jump nat_POST_external_log
                jump nat_POST_external_deny
                jump nat_POST_external_allow
                jump nat_POST_external_post
        }

        chain nat_POST_external_pre {
        }

        chain nat_POST_external_log {
        }

        chain nat_POST_external_deny {
        }

        chain nat_POST_external_allow {
                oifname != "lo" masquerade
        }

        chain nat_POST_external_post {
        }

        chain nat_PRE_external {
                jump nat_PRE_external_pre
                jump nat_PRE_external_log
                jump nat_PRE_external_deny
                jump nat_PRE_external_allow
                jump nat_PRE_external_post
        }

        chain nat_PRE_external_pre {
        }

        chain nat_PRE_external_log {
        }

        chain nat_PRE_external_deny {
        }

        chain nat_PRE_external_allow {
        }

        chain nat_PRE_external_post {
        }
}
table ip6 firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority -90; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp3s0" goto nat_PRE_external
                iifname "enp2s0" goto nat_PRE_internal
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp3s0" goto nat_POST_external
                oifname "enp2s0" goto nat_POST_internal
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_PRE_internal {
                jump nat_PRE_internal_pre
                jump nat_PRE_internal_log
                jump nat_PRE_internal_deny
                jump nat_PRE_internal_allow
                jump nat_PRE_internal_post
        }

        chain nat_PRE_internal_pre {
        }

        chain nat_PRE_internal_log {
        }

        chain nat_PRE_internal_deny {
        }

        chain nat_PRE_internal_allow {
        }

        chain nat_PRE_internal_post {
        }

        chain nat_POST_internal {
                jump nat_POST_internal_pre
                jump nat_POST_internal_log
                jump nat_POST_internal_deny
                jump nat_POST_internal_allow
                jump nat_POST_internal_post
        }

        chain nat_POST_internal_pre {
        }

        chain nat_POST_internal_log {
        }

        chain nat_POST_internal_deny {
        }

        chain nat_POST_internal_allow {
        }

        chain nat_POST_internal_post {
        }

        chain nat_POST_external {
                jump nat_POST_external_pre
                jump nat_POST_external_log
                jump nat_POST_external_deny
                jump nat_POST_external_allow
                jump nat_POST_external_post
        }

        chain nat_POST_external_pre {
        }

        chain nat_POST_external_log {
        }

        chain nat_POST_external_deny {
        }

        chain nat_POST_external_allow {
                oifname != "lo" masquerade
        }

        chain nat_POST_external_post {
        }

        chain nat_PRE_external {
                jump nat_PRE_external_pre
                jump nat_PRE_external_log
                jump nat_PRE_external_deny
                jump nat_PRE_external_allow
                jump nat_PRE_external_post
        }

        chain nat_PRE_external_pre {
        }

        chain nat_PRE_external_log {
        }

        chain nat_PRE_external_deny {
        }

        chain nat_PRE_external_allow {
        }

        chain nat_PRE_external_post {
        }
}
Things are working the way they were before: I can get to web-sites, but I'm getting a ton of rejected return packets that should be matched to the "ct state established,related accept" line.

Code: Select all

May  3 11:40:50 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=115 TOS=0x00 PREC=0x00 TTL=83 ID=37698 DF PROTO=TCP SPT=443 DPT=11204 WINDOW=156 RES=0x00 ACK PSH FIN URGP=0
May  3 11:40:50 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=115 TOS=0x00 PREC=0x00 TTL=83 ID=37699 DF PROTO=TCP SPT=443 DPT=11204 WINDOW=156 RES=0x00 ACK PSH FIN URGP=0
May  3 11:40:51 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=115 TOS=0x00 PREC=0x00 TTL=83 ID=37700 DF PROTO=TCP SPT=443 DPT=11204 WINDOW=156 RES=0x00 ACK PSH FIN URGP=0
May  3 11:40:51 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:70:85:c2:f7:82:33:08:00 SRC=192.168.1.51 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=8247 PROTO=UDP SPT=50307 DPT=32414 LEN=29
May  3 11:40:51 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:70:85:c2:f7:82:33:08:00 SRC=192.168.1.51 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=8246 PROTO=UDP SPT=50306 DPT=32412 LEN=29
May  3 11:40:52 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=115 TOS=0x00 PREC=0x00 TTL=83 ID=37701 DF PROTO=TCP SPT=443 DPT=11204 WINDOW=156 RES=0x00 ACK PSH FIN URGP=0
May  3 11:40:54 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=115 TOS=0x00 PREC=0x00 TTL=83 ID=37702 DF PROTO=TCP SPT=443 DPT=11204 WINDOW=156 RES=0x00 ACK PSH FIN URGP=0
May  3 11:40:55 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=17.36.205.69 DST=65.64.63.62 LEN=126 TOS=0x00 PREC=0x00 TTL=45 ID=6755 DF PROTO=TCP SPT=993 DPT=51707 WINDOW=254 RES=0x00 ACK PSH FIN URGP=0
May  3 11:40:56 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:70:85:c2:f7:82:33:08:00 SRC=192.168.1.51 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=8249 PROTO=UDP SPT=50306 DPT=32412 LEN=29
May  3 11:40:56 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:70:85:c2:f7:82:33:08:00 SRC=192.168.1.51 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=8248 PROTO=UDP SPT=50307 DPT=32414 LEN=29
May  3 11:40:59 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=115 TOS=0x00 PREC=0x00 TTL=83 ID=37703 DF PROTO=TCP SPT=443 DPT=11204 WINDOW=156 RES=0x00 ACK PSH FIN URGP=0
May  3 11:41:00 home kernel: FINAL_REJECT: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=185.145.122.5 DST=65.64.63.62 LEN=40 TOS=0x00 PREC=0x00 TTL=74 ID=14162 DF PROTO=TCP SPT=48788 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
May  3 11:41:01 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:70:85:c2:f7:82:33:08:00 SRC=192.168.1.51 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=8251 PROTO=UDP SPT=50306 DPT=32412 LEN=29
May  3 11:41:01 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:70:85:c2:f7:82:33:08:00 SRC=192.168.1.51 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=8250 PROTO=UDP SPT=50307 DPT=32414 LEN=29
May  3 11:41:02 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=00:1b:21:63:be:76:00:01:5c:62:2e:46:08:00 SRC=157.240.18.35 DST=65.64.63.62 LEN=47 TOS=0x00 PREC=0x00 TTL=83 ID=18497 DF PROTO=TCP SPT=443 DPT=11197 WINDOW=110 RES=0x00 ACK PSH FIN URGP=0
192.168.1.51 is my primary workstation.
157.240.18.35 is Facebook.
17.36.205.69 is Apple.

There are also some broadcast packets being rejected from my primary workstation...but I'm not sure that's a bad thing? Maybe it is? I really want to allow all traffic from my Internal network. A little concerning to see anything being blocked from Internal.

Right now, I'm rejecting port 80 and 443 inbound, but I'm likely going to re-enable those later. This is more of a test server (I have my actual web server co-located) so the only annoying thing is my inability to use the Internet properly.

At least it's not broken worse than it was? Any ideas? Am I missing something obvious?

Thank you so much for your help so far!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by TrevorH » 2020/05/03 15:59:01

If you use firewalld then you must ONLY use firewalld. You cannot mess with nftables or iptables behind its back as it will get confused and either back out your changes or do weird stuff. If you use firewalld then all your admin of its rules must be with its utilities not by using nftables to amend things. You can use nftables/iptables to inspect the rules, you may not change them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 16:08:38

TrevorH wrote:
2020/05/03 15:59:01
If you use firewalld then you must ONLY use firewalld. You cannot mess with nftables or iptables behind its back as it will get confused and either back out your changes or do weird stuff. If you use firewalld then all your admin of its rules must be with its utilities not by using nftables to amend things. You can use nftables/iptables to inspect the rules, you may not change them.
Ahh okay. I guess I was getting confused.

With my fairly basic configuration, should I simply stick to Firewalld then? The administration seems fairly straightforward.

The only reason why I was messing with the nftables was because something is broken, and there's no indication within Firewalld what that is?

I did a little digging and found a "here's how you do it" for nftables, but as you say, you can't manipulate nftables if you're using Firewalld?

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 16:18:46

amarand wrote:
2020/05/03 16:08:38
TrevorH wrote:
2020/05/03 15:59:01
If you use firewalld then you must ONLY use firewalld. You cannot mess with nftables or iptables behind its back as it will get confused and either back out your changes or do weird stuff. If you use firewalld then all your admin of its rules must be with its utilities not by using nftables to amend things. You can use nftables/iptables to inspect the rules, you may not change them.
Ahh okay. I guess I was getting confused.

With my fairly basic configuration, should I simply stick to Firewalld then? The administration seems fairly straightforward.

The only reason why I was messing with the nftables was because something is broken, and there's no indication within Firewalld what that is?

I did a little digging and found a "here's how you do it" for nftables, but as you say, you can't manipulate nftables if you're using Firewalld?
As an aside, I find Firewalld's management tools to be fairly straightforward and well-documented. I do not enjoy or completely understand nftables yet, as I come from the ipchains/iptables world, and it took me awhile to get used to Firewalld.

My primary concern is that everything was working perfectly until something upgraded/updated, and now I have a ton of return packets being denied by the firewall, and I have no idea how to fix it. I still feel like it's a bug of some sort, but I've also read that some behavior changed in Firewalld semi-recently with AutomaticHelpers and AllowZoneDrifting, which allows for increased security (yay!) but also might be what's breaking my implementation.

My use case is extremely simple:

Inside gets out.
Outside gets blocked unless it's a related,established packet.

This is fairly standard NAT, correct? Oh, and masquerade goes into the mix because that rewrites the packets so the source is the external IP.

I have a single, statically-assigned external IP address which changes (much to my chagrin) once every five or ten years when something at my ISP breaks and the have to issue me a new one. I pay for that static IP address to not change.

I have a very standard internal network (192.168.1.0/24).

My main problem is, there are decades worth of awesome "how to" documents I can choose from for iptables and (to a lesser degree) firewalld. The nftables is so relatively new, there aren't a lot of "how to" documents out there. So now, I'm forced to decide: use firewalld, which I guess I understand well enough (It's worked perfectly well since firewalld was first introduced as the firewall of choice for CentOS.) OR, switch if nftables direct, which is like using iptables direct, which I never truly understood, and which is why I used fwbuilder with iptables before, and then firewalld now.

So, I'm stuck:

Do I fix this current implementation of firewalld, which I'm suspecting should "just work" seeing as this is probably the part it was born to play...

OR

Do I learn a whole new firewall system (nftables), and figuring that out?

Right now, at this moment, it appears to be just as broken as it was before when I first submitted this post. So...at least the issue reproducible?

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 16:25:56

TrevorH wrote:
2020/05/03 15:59:01
If you use firewalld then you must ONLY use firewalld. You cannot mess with nftables or iptables behind its back as it will get confused and either back out your changes or do weird stuff. If you use firewalld then all your admin of its rules must be with its utilities not by using nftables to amend things. You can use nftables/iptables to inspect the rules, you may not change them.
Also, I just want to clarify, so I understand:

nftables is the replacement for iptables.
iptables in CentOS 8 is simply a wrapper around nftables.
nftables is the backend firewall which firewalld can use.
Once you have firewalld enabled, it "manages" nftables rules.
When firewalld is managing nftables, you should never perform nftables write commands, only read commands.
If I want to use firewalld, all changes must go through firewalld.
If there is a deficiency with firewalld, I must disable firewalld and use only nftables directly.

Is that the long and the short of it?

Post Reply