Comments (8)
There is another issue with the conntrack entry before any other chain:
I cannot block intruders while they are holding a connection! For example a drop entry in IN_public_deny will only take effect once the hacker starts a new connection.
This looks like a major security problem to me.
from firewalld.
I thought about addition something similar as the prefiter flag also some time ago. But this would require to change the D-Bus interface of the direct interface in firewalld. Which would break existing services using it.
There is a solution without the need to change the interface: Use a passthrough rule to add a rule in the first line of the INPUT, .. chain. In this rule you can also jump into chains you have created with the --add-chain option in the same ipv and table.
from firewalld.
I have to admit I don't enough about the D-Bus interface, but I'm guessing that rules out option 1. However is there any reason we can't do 2 - i.e. create a standard chain that runs first up before any conntrack.
I understand that you can use --passthrough - that is essentially what I say in the second paragraph above. The issue is that this would be hard to do in any sort of automatic install - for example in an init script. The --passthrough option only works if use --permanent (if you don't, your changes will be lost when you do a --reload), it is also hard to do a remove (essentially you have to do it by rule number - hoping that it is still number 1 in the INPUT chain).
It would be better to do it as a standard chain with a known (pre-defined) name. What happens if there are multiple kernel modules that wan't to get ahead of conntrack?
from firewalld.
@t-woerner any news on this?
from firewalld.
Ping?
from firewalld.
We're currently working on an nftables backend, which would be a good time to make a change like this. That being said, I don't think it's likely to happen with the iptables backend for the reasons @t-woerner mentions above. The passthrough solution is a bit hacky, but it's the best option right now.
from firewalld.
FWIW, here's one way to (manually) fulfill the description of this ticket. It effectively "moves" INPUT_direct & FORWARD_direct to the top of their respective chains.
# firewall-cmd --direct --passthrough ipv4 -D INPUT -j INPUT_direct
# firewall-cmd --direct --passthrough ipv6 -D INPUT -j INPUT_direct
# firewall-cmd --direct --passthrough ipv4 -D FORWARD -j FORWARD_direct # firewall-cmd --direct --passthrough ipv6 -D FORWARD -j FORWARD_direct
# firewall-cmd --direct --passthrough ipv4 -I INPUT 1 -j INPUT_direct
# firewall-cmd --direct --passthrough ipv6 -I INPUT 1 -j INPUT_direct
# firewall-cmd --direct --passthrough ipv4 -I FORWARD 1 -j FORWARD_direct
# firewall-cmd --direct --passthrough ipv6 -I FORWARD 1 -j FORWARD_direct
Making the above --permanent produces the following direct.xml
, which works, with the caveat that firewalld does not actually execute the -D arguments. As it is, it's an imperfect workaround.
<?xml version="1.0" encoding="utf-8"?>
<direct>
<passthrough ipv="ipv4">-D INPUT -j INPUT_direct</passthrough>
<passthrough ipv="ipv6">-D INPUT -j INPUT_direct</passthrough>
<passthrough ipv="ipv4">-D FORWARD -j FORWARD_direct</passthrough>
<passthrough ipv="ipv6">-D FORWARD -j FORWARD_direct</passthrough>
<passthrough ipv="ipv4">-I INPUT 1 -j INPUT_direct</passthrough>
<passthrough ipv="ipv6">-I INPUT 1 -j INPUT_direct</passthrough>
<passthrough ipv="ipv4">-I FORWARD 1 -j FORWARD_direct</passthrough>
<passthrough ipv="ipv6">-I FORWARD 1 -j FORWARD_direct</passthrough>
</direct>
Without hacking, the result is 'permanent' INPUT & FORWARD chains with duplicate rules. The direct.xml INPUT_direct & FORWARD_direct jumps are successfully reinserted at the top of each chain, but the originals still exist further down in the rule set too.
It would be very helpful if direct passthrough does what it implies. It's misleading and took a bit of spelunking to figure out that I was being saved from myself. My expectation was that firewalld would pass through ALL direct arguments. But, I was wrong.
firewalld[3301]: WARNING: INVALID_PASSTHROUGH: arg '-D' is not allowed
IMHO, passthrough should at least support "-D", "--delete". Making that happen takes minimal effort and could effectively resolve many issues for many users. The fact that direct.xml gets processed last allows for workarounds like this to function as expected & allows for fine tuning.
I tested this change, with the above XML, and it works as expected.
The same logic works for the other chains too, e.g. OUTPUT
HTH
from firewalld.
This was addressed with the new nftables backend (v0.6.0). Direct rules have higher precedence and occur before any other firewalld rules. For more info please read the blog post: https://firewalld.org/2018/07/nftables-backend
from firewalld.
Related Issues (20)
- Preserve source IP when using masquerade + rich-rule port-forwading
- Policy and IPv6 HOT 3
- Add port forwarding to firewalld doesn't take effect actually HOT 5
- Applet icon missing in the tray but randomly appears after relog HOT 3
- Add SCTP for DLM
- --runtime-to-permanent removing public zone from active zones HOT 2
- Should `https.xml` include `http3.xml`? HOT 1
- Bug in `wrong_args_for_callable()` causes firewall-applet to crash (regression introduced in 2.1.0) HOT 1
- rework D-Bus bindings and move away from deprecated python-dbus
- Disruptive remnants of firewalld.service remain after removal HOT 3
- Non compacted IPv6 address conflict after reload HOT 1
- Unfriendly error message with `firewall-cmd --load-zone-defaults` without customization.
- Feature request: Add a functionality for services/ports/protocols to be filtered first and then source IP HOT 2
- PolicyKit authentication attempt on startup of firewall-config times out after 25 seconds HOT 10
- Ceph highest port number is outdated
- usability: default target is not shown on zone-info HOT 4
- firewall-offline-cmd fails to enable/disable lockdown HOT 1
- DB connection fails with port 5432 with docker HOT 11
- Entry check fails for IP sets combining CIDRs and ranges HOT 1
- firewalld reload/restart flushes tables not part of firewalld rules on version: 0.9.11 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firewalld.