I am seeing these messages in the logs (see link below) and am looking for some better understanding how these tie together. I read
viewtopic.php?f=56&t=73491 and have been setting up the firewall using firewall-cmd. I was looking to block ping replies and added icmp blocks. I get a Destination net unreachable message when remote pinging the Centos server. If I use iptables command to drop, I get Request timed out. from ping. This was my goal but now I am confused as to the way these tie/work together. It appears two things are competing. The iptables rule also doesn't stick either. Time to ask some questions before I get into a mess.
This is my first install on Centos so bear with me. My other servers are HPUX and MacOs. I am replacing the HP box with this.
Looking for a little guidance firewalld/nftables/iptables
-
KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Looking for a little guidance firewalld/nftables/iptables
centos 8 uses nftables behind firewalld.
I can't remember which icmp block causes pings to timeout, try some of these in your target zone:
I can't remember which icmp block causes pings to timeout, try some of these in your target zone:
Code: Select all
<icmp-block name="redirect"/>
<icmp-block name="timestamp-request"/>
<icmp-block name="router-solicitation"/>
<icmp-block name="parameter-problem"/>
<icmp-block name="destination-unreachable"/>
<icmp-block name="echo-request"/>
<icmp-block name="timestamp-reply"/>
<icmp-block name="echo-reply"/>
<icmp-block name="source-quench"/>
<icmp-block name="time-exceeded"/>
<icmp-block name="router-advertisement"/>
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Looking for a little guidance firewalld/nftables/iptables
I issue from command line 'iptables -A INPUT --proto icmp -j DROP' which gives me the desired effect. This however doesn't stick past a 'firewall-cmd --reload'. So, even though all the iptable functions are loaded, I should look at the nftables to get the ping to act as desired and also to get rid of the duplicate(?) iptable messages in the logs and ignore using iptable functions. Also, I see this reply "iptables v1.8.2 (nf_tables)" when checking iptable version. Is this telling me the iptable commands are using the nftable?
Re: Looking for a little guidance firewalld/nftables/iptables
I am using these now, icmp-blocks: echo-request timestamp-reply timestamp-request so I will check some of the others.
Re: Looking for a little guidance firewalld/nftables/iptables
I tried all the mentioned options but didn't get any different results. I did this 'firewall-cmd --permanent --add-rich-rule='rule protocol value="icmp" drop' which once reloaded is permanent.
It appears that the the messages I referred to in the link in the first post were WARNINGS and show up in the log when firewalld is restarted. It looks harmless.
I am only finding the settings for the firewall being saved in the zone files in /etc/firewalld/zones. Is this the only place they exist? If I issue 'nft list ruleset' they all show there. Are those coming from the zone file in firewalld or some other place?
It appears that the the messages I referred to in the link in the first post were WARNINGS and show up in the log when firewalld is restarted. It looks harmless.
I am only finding the settings for the firewall being saved in the zone files in /etc/firewalld/zones. Is this the only place they exist? If I issue 'nft list ruleset' they all show there. Are those coming from the zone file in firewalld or some other place?