View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0016751||CentOS-8||firewalld||public||2019-11-19 12:28||2019-11-19 12:28|
|Target Version||Fixed in Version|
|Summary||0016751: Rich rules do not work as intended when attempting to limit ICMP traffic.|
|Description||I've got a vanilla server running CentOS8 on the network range 10.1.35.0/24 with local IP: 10.1.35.194/32|
I want to grant ICMP and SSH access to a single host (10.1.35.55) only, using rich rules on a custom zone which its target set to DROP traffic.
There seems to be a bug on the processing of the rich rules when attempting to limit ICMP traffic.
With the provided configuration any host in the 10.1.35.0/24 network range can send ICMP pings to the server 10.1.35.194, and not only just the 10.1.35.55 host as intended.
This affects only ICMP, the rule that regulates TCP access to port 22 works as expected.
The expected behaviour is that ICMP traffic should only be accepted for the host with IP 10.1.35.55, ICMP traffic from any other host should be dropped.
I believe this to be a bug.
|Steps To Reproduce||How to reproduce the bug:|
10.1.35.55 = IP That we want to allow both SSH and ICMP access, change it to the IP you intend to use for testing.
ens3 = Interface name, change it to your interface name
# Create a new zone
firewall-cmd --permanent --new-zone=000-interwebs
# Set the zone target to DROP
firewall-cmd --permanent --zone=000-interwebs --set-target=DROP
# Set the new zone to be the default zone
# Attach the interface to the new zone
firewall-cmd --permanent --change-zone=ens3 --zone=000-interwebs
# Add two rich rules
firewall-cmd --permanent --zone=000-interwebs --add-rich-rule='rule family=ipv4 source address="10.1.35.55/32" port port=22 protocol=tcp accept'
firewall-cmd --permanent --zone=000-interwebs --add-rich-rule='rule family=ipv4 source address="10.1.35.55/32" protocol value=icmp accept'
# Reload the configuration
Ping the server IP from any host in the network other than 10.1.35.55, it should drop the ICMP request, however firewalld allow's the ICMP traffic to go through.
|Tags||No tags attached.|