View Issue Details

IDProjectCategoryView StatusLast Update
0016751CentOS-8firewalldpublic2019-11-19 12:28
Reportercuf-centos 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016751: Rich rules do not work as intended when attempting to limit ICMP traffic.
DescriptionI've got a vanilla server running CentOS8 on the network range 10.1.35.0/24 with local IP: 10.1.35.194/32

I want to grant ICMP and SSH access to a single host (10.1.35.55) only, using rich rules on a custom zone which its target set to DROP traffic.

There seems to be a bug on the processing of the rich rules when attempting to limit ICMP traffic.

With the provided configuration any host in the 10.1.35.0/24 network range can send ICMP pings to the server 10.1.35.194, and not only just the 10.1.35.55 host as intended.

This affects only ICMP, the rule that regulates TCP access to port 22 works as expected.

The expected behaviour is that ICMP traffic should only be accepted for the host with IP 10.1.35.55, ICMP traffic from any other host should be dropped.

I believe this to be a bug.
Steps To ReproduceHow to reproduce the bug:

10.1.35.55 = IP That we want to allow both SSH and ICMP access, change it to the IP you intend to use for testing.

ens3 = Interface name, change it to your interface name

# Create a new zone
firewall-cmd --permanent --new-zone=000-interwebs

# Set the zone target to DROP
firewall-cmd --permanent --zone=000-interwebs --set-target=DROP

# Set the new zone to be the default zone
firewall-cmd --set-default-zone=000-interwebs

# Attach the interface to the new zone
firewall-cmd --permanent --change-zone=ens3 --zone=000-interwebs

# Add two rich rules
firewall-cmd --permanent --zone=000-interwebs --add-rich-rule='rule family=ipv4 source address="10.1.35.55/32" port port=22 protocol=tcp accept'
firewall-cmd --permanent --zone=000-interwebs --add-rich-rule='rule family=ipv4 source address="10.1.35.55/32" protocol value=icmp accept'

# Reload the configuration
firewall-cmd --reload

Ping the server IP from any host in the network other than 10.1.35.55, it should drop the ICMP request, however firewalld allow's the ICMP traffic to go through.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-11-19 12:28 cuf-centos New Issue