0

I'm trying to configure firewalld (v0.4.4.2) on Debian 9 to REJECT invalid requests originating from an internal network.

However, if I set the default target of the zone in question to REJECT, the requests still appear to be dropped. (If I test it, I get connection times out instead of beeing rejected.)

According to the docs, REJECT is not statically assigned, but:

The %%REJECT%% target is used in block zone to reject (with default firewalld reject type) every packet not matching any rule.

So it seems that default reject type is the wrong one. I'm not sure how to change this. Thanks for any advice.

iptables -L (cropped):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
[...]

Maybe firewalld is using the REJECT above, but it looks fine with icmp-host-prohibited. However I dont get that answer on a client.

iptables -vnL:

Chain IN_internal (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_internal_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_internal_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_internal_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Improve this question
5
  • 1
    The iptables rules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However, iptables -L does not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably use iptables -Lvn instead, so that the full meaning of each rule can be reviewed. Commented Dec 8, 2018 at 13:29
  • I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld? Commented Dec 8, 2018 at 14:21
  • The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right? Commented Dec 8, 2018 at 14:39
  • 1
    Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (in iptables lingo, it's iptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember the firewalld equivalent right now), then another REJECT for everything else, using the default ICMP reject response. Commented Dec 8, 2018 at 15:47
  • Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (icmp-host-prohibited instead of tcp-reset). I'll update as soon as I've tested it. Commented Dec 8, 2018 at 16:00

1 Answer 1

Reset to default
1

Sometimes some operating systems may fail to respond appropriately to icmp-host-prohibited messages for TCP connections, as the classic expected way to reject a TCP connection is by a TCP RST packet. (Or maybe some firewalls fail to recognize that ICMP response as related to a TCP connection attempt, and filter it out?)

The default rejection method of iptables (and by extension, also firewalld) is icmp-host-prohibited, which attempts to be a "one-size-fits-all" rejection method applicable equally for all protocols. As a result, you may wish to add a custom rejection rule for TCP packets, using the reject type of tcp-reset.

The firewall-cmd syntax for the rich rule for TCP rejection would be something like this:

firewall-cmd --zone=internal --add-rich-rule='rule protocol value="tcp" reject type="tcp-reset"'
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.