Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update
Posted: 2020/05/04 07:55:29
Those FINAL_REJECTs are all from inside to port 5355/udp. IPv4 224.0.0.252 is a non-routable multicast address and so are IPv6 ffx2::/16.
https://en.wikipedia.org/wiki/Multicast_address
https://en.wikipedia.org/wiki/Link-Loca ... Resolution
In other words, the device 192.168.1.51 (I presume that the IPv6 address belongs to same device, and BTW, the fe80:: contains the MAC address too) attempts multicast name resolution (whatever that is).
Multicast DNS would be allowed, but that is to 224.0.0.251 5353/udp:
I have never understood multicast, but this looks like "works as designed".
The real issue:
The STATE_INVALID_DROP (from facebook) comes from the INPUT:
If these are replies within existing connection (which they probably are) then the masquerade should have recognized them as such and restore the the original source (into the DST), which would have changed the routing into
and then the packet should match
As far as I can see, the problem is not in the firewall rules. They look fine.
The problem is thus that masquerade in kernel does not pick valid replies and "demasquerade" them.
(Or sites like Facebook send invalid packages, or a man in the middle mangles packages.)
https://en.wikipedia.org/wiki/Multicast_address
https://en.wikipedia.org/wiki/Link-Loca ... Resolution
In other words, the device 192.168.1.51 (I presume that the IPv6 address belongs to same device, and BTW, the fe80:: contains the MAC address too) attempts multicast name resolution (whatever that is).
Multicast DNS would be allowed, but that is to 224.0.0.251 5353/udp:
Code: Select all
chain filter_IN_internal_allow {
ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
The real issue:
The STATE_INVALID_DROP (from facebook) comes from the INPUT:
Code: Select all
IN=enp3s0 OUT= DST=65.64.63.62
Code: Select all
chain filter_INPUT {
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
Code: Select all
IN=enp3s0 OUT=enp2s0
Code: Select all
chain filter_FORWARD {
ct state established,related accept
The problem is thus that masquerade in kernel does not pick valid replies and "demasquerade" them.
(Or sites like Facebook send invalid packages, or a man in the middle mangles packages.)