Firewalld %%REJECT%%
up vote
0
down vote
favorite
I'm trying to configure firewalld (v0.4.4.2) on Debian 9 to REJECT invalid requests originating from an internal network.
However, if I set the default target of the zone in question to REJECT, the requests still appear to be dropped. (If I test it, I get connection times out instead of beeing rejected.)
According to the docs, REJECT is not statically assigned, but:
The %%REJECT%% target is used in block zone to reject (with default
firewalld reject type) every packet not matching any rule.
So it seems that default reject type is the wrong one.
I'm not sure how to change this. Thanks for any advice.
iptables -L (cropped):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[...]
Maybe firewalld is using the REJECT above, but it looks fine with icmp-host-prohibited. However I dont get that answer on a client.
iptables -vnL:
Chain IN_internal (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
firewall firewalld
asked 2 days ago
rudib
398314
add a comment |
up vote
0
down vote
favorite
I'm trying to configure firewalld (v0.4.4.2) on Debian 9 to REJECT invalid requests originating from an internal network.
However, if I set the default target of the zone in question to REJECT, the requests still appear to be dropped. (If I test it, I get connection times out instead of beeing rejected.)
According to the docs, REJECT is not statically assigned, but:
The %%REJECT%% target is used in block zone to reject (with default
firewalld reject type) every packet not matching any rule.
So it seems that default reject type is the wrong one.
I'm not sure how to change this. Thanks for any advice.
iptables -L (cropped):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[...]
Maybe firewalld is using the REJECT above, but it looks fine with icmp-host-prohibited. However I dont get that answer on a client.
iptables -vnL:
Chain IN_internal (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
firewall firewalld
asked 2 days ago
rudib
398314
1
Theiptablesrules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However,iptables -Ldoes not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably useiptables -Lvninstead, so that the full meaning of each rule can be reviewed.
– telcoM
2 days ago
I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld?
– rudib
2 days ago
The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right?
– rudib
2 days ago
1
Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (iniptableslingo, it'siptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember thefirewalldequivalent right now), then another REJECT for everything else, using the default ICMP reject response.
– telcoM
2 days ago
Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (icmp-host-prohibitedinstead oftcp-reset). I'll update as soon as I've tested it.
– rudib
2 days ago
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to configure firewalld (v0.4.4.2) on Debian 9 to REJECT invalid requests originating from an internal network.
However, if I set the default target of the zone in question to REJECT, the requests still appear to be dropped. (If I test it, I get connection times out instead of beeing rejected.)
According to the docs, REJECT is not statically assigned, but:
The %%REJECT%% target is used in block zone to reject (with default
firewalld reject type) every packet not matching any rule.
So it seems that default reject type is the wrong one.
I'm not sure how to change this. Thanks for any advice.
iptables -L (cropped):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[...]
Maybe firewalld is using the REJECT above, but it looks fine with icmp-host-prohibited. However I dont get that answer on a client.
iptables -vnL:
Chain IN_internal (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
firewall firewalld
asked 2 days ago
rudib
398314
I'm trying to configure firewalld (v0.4.4.2) on Debian 9 to REJECT invalid requests originating from an internal network.
However, if I set the default target of the zone in question to REJECT, the requests still appear to be dropped. (If I test it, I get connection times out instead of beeing rejected.)
According to the docs, REJECT is not statically assigned, but:
The %%REJECT%% target is used in block zone to reject (with default
firewalld reject type) every packet not matching any rule.
So it seems that default reject type is the wrong one.
I'm not sure how to change this. Thanks for any advice.
iptables -L (cropped):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[...]
Maybe firewalld is using the REJECT above, but it looks fine with icmp-host-prohibited. However I dont get that answer on a client.
iptables -vnL:
Chain IN_internal (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
firewall firewalld
firewall firewalld
asked 2 days ago
rudib
398314
asked 2 days ago
rudib
398314
edited 2 days ago
asked 2 days ago
rudib
398314
asked 2 days ago
rudib
398314
asked 2 days ago
rudib
398314
398314
1
Theiptablesrules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However,iptables -Ldoes not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably useiptables -Lvninstead, so that the full meaning of each rule can be reviewed.
– telcoM
2 days ago
I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld?
– rudib
2 days ago
The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right?
– rudib
2 days ago
1
Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (iniptableslingo, it'siptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember thefirewalldequivalent right now), then another REJECT for everything else, using the default ICMP reject response.
– telcoM
2 days ago
Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (icmp-host-prohibitedinstead oftcp-reset). I'll update as soon as I've tested it.
– rudib
2 days ago
add a comment |
1
Theiptablesrules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However,iptables -Ldoes not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably useiptables -Lvninstead, so that the full meaning of each rule can be reviewed.
– telcoM
2 days ago
I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld?
– rudib
2 days ago
The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right?
– rudib
2 days ago
1
Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (iniptableslingo, it'siptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember thefirewalldequivalent right now), then another REJECT for everything else, using the default ICMP reject response.
– telcoM
2 days ago
Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (icmp-host-prohibitedinstead oftcp-reset). I'll update as soon as I've tested it.
– rudib
2 days ago
1
1
The
iptables rules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However, iptables -L does not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably use iptables -Lvn instead, so that the full meaning of each rule can be reviewed.– telcoM
2 days ago
The
iptables rules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However, iptables -L does not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably use iptables -Lvn instead, so that the full meaning of each rule can be reviewed.– telcoM
2 days ago
I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld?
– rudib
2 days ago
I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld?
– rudib
2 days ago
The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right?
– rudib
2 days ago
The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right?
– rudib
2 days ago
1
1
Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (in
iptables lingo, it's iptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember the firewalld equivalent right now), then another REJECT for everything else, using the default ICMP reject response.– telcoM
2 days ago
Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (in
iptables lingo, it's iptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember the firewalld equivalent right now), then another REJECT for everything else, using the default ICMP reject response.– telcoM
2 days ago
Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (
icmp-host-prohibited instead of tcp-reset). I'll update as soon as I've tested it.– rudib
2 days ago
Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (
icmp-host-prohibited instead of tcp-reset). I'll update as soon as I've tested it.– rudib
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Sometimes some operating systems may fail to respond appropriately to icmp-host-prohibited messages for TCP connections, as the classic expected way to reject a TCP connection is by a TCP RST packet. (Or maybe some firewalls fail to recognize that ICMP response as related to a TCP connection attempt, and filter it out?)
The default rejection method of iptables (and by extension, also firewalld) is icmp-host-prohibited, which attempts to be a "one-size-fits-all" rejection method applicable equally for all protocols. As a result, you may wish to add a custom rejection rule for TCP packets, using the reject type of tcp-reset.
The firewall-cmd syntax for the rich rule for TCP rejection would be something like this:
firewall-cmd --zone=internal --add-rich-rule='rule protocol value="tcp" reject type="tcp-reset"'
answered 2 days ago
telcoM
15.3k12143
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Sometimes some operating systems may fail to respond appropriately to icmp-host-prohibited messages for TCP connections, as the classic expected way to reject a TCP connection is by a TCP RST packet. (Or maybe some firewalls fail to recognize that ICMP response as related to a TCP connection attempt, and filter it out?)
The default rejection method of iptables (and by extension, also firewalld) is icmp-host-prohibited, which attempts to be a "one-size-fits-all" rejection method applicable equally for all protocols. As a result, you may wish to add a custom rejection rule for TCP packets, using the reject type of tcp-reset.
The firewall-cmd syntax for the rich rule for TCP rejection would be something like this:
firewall-cmd --zone=internal --add-rich-rule='rule protocol value="tcp" reject type="tcp-reset"'
answered 2 days ago
telcoM
15.3k12143
add a comment |
up vote
1
down vote
Sometimes some operating systems may fail to respond appropriately to icmp-host-prohibited messages for TCP connections, as the classic expected way to reject a TCP connection is by a TCP RST packet. (Or maybe some firewalls fail to recognize that ICMP response as related to a TCP connection attempt, and filter it out?)
The default rejection method of iptables (and by extension, also firewalld) is icmp-host-prohibited, which attempts to be a "one-size-fits-all" rejection method applicable equally for all protocols. As a result, you may wish to add a custom rejection rule for TCP packets, using the reject type of tcp-reset.
The firewall-cmd syntax for the rich rule for TCP rejection would be something like this:
firewall-cmd --zone=internal --add-rich-rule='rule protocol value="tcp" reject type="tcp-reset"'
answered 2 days ago
telcoM
15.3k12143
add a comment |
up vote
1
down vote
up vote
1
down vote
Sometimes some operating systems may fail to respond appropriately to icmp-host-prohibited messages for TCP connections, as the classic expected way to reject a TCP connection is by a TCP RST packet. (Or maybe some firewalls fail to recognize that ICMP response as related to a TCP connection attempt, and filter it out?)
The default rejection method of iptables (and by extension, also firewalld) is icmp-host-prohibited, which attempts to be a "one-size-fits-all" rejection method applicable equally for all protocols. As a result, you may wish to add a custom rejection rule for TCP packets, using the reject type of tcp-reset.
The firewall-cmd syntax for the rich rule for TCP rejection would be something like this:
firewall-cmd --zone=internal --add-rich-rule='rule protocol value="tcp" reject type="tcp-reset"'
answered 2 days ago
telcoM
15.3k12143
Sometimes some operating systems may fail to respond appropriately to icmp-host-prohibited messages for TCP connections, as the classic expected way to reject a TCP connection is by a TCP RST packet. (Or maybe some firewalls fail to recognize that ICMP response as related to a TCP connection attempt, and filter it out?)
The default rejection method of iptables (and by extension, also firewalld) is icmp-host-prohibited, which attempts to be a "one-size-fits-all" rejection method applicable equally for all protocols. As a result, you may wish to add a custom rejection rule for TCP packets, using the reject type of tcp-reset.
The firewall-cmd syntax for the rich rule for TCP rejection would be something like this:
firewall-cmd --zone=internal --add-rich-rule='rule protocol value="tcp" reject type="tcp-reset"'
answered 2 days ago
telcoM
15.3k12143
edited 2 days ago
answered 2 days ago
telcoM
15.3k12143
answered 2 days ago
telcoM
15.3k12143
answered 2 days ago
telcoM
15.3k12143
15.3k12143
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486758%2ffirewalld-reject%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
The
iptablesrules are processed in order, and since you seem to have a DROP rule that matches all invalid packets before the REJECT rule, the processing may never reach the REJECT rule. However,iptables -Ldoes not always tell the whole story: it omits the fields that would indicate if a particular rule applies to specific interface(s) only. You should probably useiptables -Lvninstead, so that the full meaning of each rule can be reviewed.– telcoM
2 days ago
I see, I wasn't aware of that. However if I'm not mistaken this is solely managed by firewalld. Or could I just change the order? Wouldn't that interfere with firewalld?
– rudib
2 days ago
The internal chain ends with a REJECT. So that should be fine. Unfortunately I can't test it at the moment. If the the chain reaches a REJECT, it shouldn't matter what follows, right?
– rudib
2 days ago
1
Yes, you're correct. You may want to place two REJECTs at the end of the internal chain: first one that matches the TCP protocol only and uses a TCP RST as its reject type (in
iptableslingo, it'siptables [...] -p tcp -j REJECT --reject-with tcp-reset; I don't remember thefirewalldequivalent right now), then another REJECT for everything else, using the default ICMP reject response.– telcoM
2 days ago
Ah, thanks a lot! Yes it might be just a TCP related problem. I'll try to add a rich rule or something comparable for TCP and see if that work. If my memory serves me right, pings were actutally rejected, but a http request, for example, appeared to be dropped. So it might just have been the wrong answer (
icmp-host-prohibitedinstead oftcp-reset). I'll update as soon as I've tested it.– rudib
2 days ago