View Issue Details

IDProjectCategoryView StatusLast Update
0017310CentOS-8firewalldpublic2020-04-30 02:22
Reporteramarand 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version8.1.1911
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017310: Current version of firewalld blocking return RELATED,ESTABLISHED packets (int/ext/nat)
DescriptionI have a fairly basic firewalld configuration, which has been working since CentOS 8.0.

Internal (enp2s0)
External (enp3s0)

I had things configured using the three entries I've always used in the past for masquerade/NAT:

firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp3s0 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp2s0 -o enp3s0 -j ACCEP
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

All of these entries show up in the runtime and permanent. I have verified this within the firewall-config app. I've also rebooted numerous times, although I know I can just reload/restart the firewall as well.

After some digging, I found out that "-m state --state" is depreciated, so I shifted the command to:

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT
-A FORWARD -i enp3s0 -o enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Did not resolve the issue.

Checked masq:

firewall-cmd --zone=external --query-masquerade
yes

I can communicate out-bound using 443, but there are issues with, for example, going to https://appleid.apple.com which, after popping a window to https://idmsa.apple.com displays:

Secure Connection Failed

An error occurred during a connection to idmsa.apple.com. PR_CONNECT_RESET_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
Steps To ReproduceOn any PC running Windows 10, I connect using any browser to https://appleid.apple.com/

In the center of the window (which did load), a pop-up attempts to load for authentication to https://idmsa.apple.com/

Connection is blocked with a "Connection Reset" error in some browsers, "PR_CONNECT_RESET_ERROR" in Firefox.

I am able to connect the same laptop directly to the cable modem, get an external static IP address from the ISP, and the error goes away. I am also able to connect to this site directly on the CentOS server acting as a firewall/router with no issues.
Additional InformationI've enabled the logs, and I can see tons of errors like this:

Apr 29 20:29:12 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=*28DigitMacAddress* SRC=17.167.194.224 DST=*HomeStaticIPv4Addr* LEN=52 TOS=0x00 PREC=0x00 TTL=239 ID=61549 DF PROTO=TCP SPT=443 DPT=51337 WINDOW=320 RES=0x00 ACK URGP=0

IP: 17.167.194.224
Decimal: 296207072
Hostname: 17.167.194.224
ASN: 714
ISP: Apple
Organization: Apple

So these coincide with the connections that are being blocked. Each time it attempts to connect and throws this error, I see another entry in the log for this site.

Please let me know what additional information is required.

*** firewall-cmd --list-all-zones

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: http https imap imaps smtp smtps
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="205.166.94.0/24" service name="ssh" log level="notice" accept

home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: enp2s0
  sources:
  services: RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
  ports: 5201/tcp
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


libvirt
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule priority="32767" reject

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 3389/tcp 5201/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# nmcli device status
DEVICE TYPE STATE CONNECTION
enp3s0 ethernet connected External Wired
enp2s0 ethernet connected Internal Wired

As an aside, I know that all the services on the Internal zone has ALL of the services checked, but that's only because I wasn't sure if there was a service listed that I needed to enable. Basically, I'd like ALL traffic to not be blocked going out, any RELATED,ESTABLISHED connections should obviously come back in.

This worked fine a few weeks ago before I performed an upgrade from 0.7.0 to 0.7.0_5. So something changed?

** firewalld.config entries:

DefaultZone=public
CleanupOnExit=yes
Lockdown=no
IPv6_rpfilter=yes
IndividualCalls=no
LogDenied=off
AutomaticHelpers=system
FirewallBackend=nftables
FlushAllOnReload=yes
RFC3964_IPv4=yes
AllowZoneDrifting=no

I also tried "AllowZoneDrifting=" to yes and "AutomaticHelpers=" yes and no - no difference.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-04-30 02:22 amarand New Issue