I have two VMs, both with firewalld installed. One on machine It this in the IN_public chain:
Chain IN_public (2 references) pkts bytes target prot opt in out source destination 81 3423 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 79 3335 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
On the other I see:
Chain IN_public (2 references) pkts bytes target prot opt in out source destination 101 4232 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
As might be expected, pinging the first VM fails. That is the ping is rejected with:
[emmett@ws1 ~]$ ping 96.92.106.4 PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
From 96.92.106.4 icmp_seq=1 Destination Host Prohibited From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
And pinging the second works as expected.
I've searche the firewalld configuration files in /usr/lib/firewalld and /etc/firewalld and can find no reference to any icmp rule. The two machines were cloned originally from the same VM. Why are they different?
How can I remove the reject-with icmp rule using firewalld. I can remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ] 4" and I can then ping that machine. But of course the rule is returned whenever firewalld is restarted.
Emmett
On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote:
I have two VMs, both with firewalld installed. One on machine It this in the IN_public chain:
Chain IN_public (2 references) pkts bytes target prot opt in out source destination 81 3423 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 79 3335 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject- with icmp-host-prohibited
On the other I see:
Chain IN_public (2 references) pkts bytes target prot opt in out source destination 101 4232 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
As might be expected, pinging the first VM fails. That is the ping is rejected with:
[emmett@ws1 ~]$ ping 96.92.106.4 PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data. From 96.92.106.4 icmp_seq=1 Destination Host Prohibited From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
And pinging the second works as expected.
I've searche the firewalld configuration files in /usr/lib/firewalld and /etc/firewalld and can find no reference to any icmp rule. The two machines were cloned originally from the same VM. Why are they different?
How can I remove the reject-with icmp rule using firewalld. I can remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ] 4" and I can then ping that machine. But of course the rule is returned whenever firewalld is restarted.
Emmett _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
What is the output off: firewall-cmd --list-all on the VMs?
On 12/19/2017 03:37 PM, Louis Lagendijk wrote:
On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote:
I have two VMs, both with firewalld installed. One on machine It this in the IN_public chain:
Chain IN_public (2 references) pkts bytes target prot opt in out source destination 81 3423 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 79 3335 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject- with icmp-host-prohibited
On the other I see:
Chain IN_public (2 references) pkts bytes target prot opt in out source destination 101 4232 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
As might be expected, pinging the first VM fails. That is the ping is rejected with:
[emmett@ws1 ~]$ ping 96.92.106.4 PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data. From 96.92.106.4 icmp_seq=1 Destination Host Prohibited From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
And pinging the second works as expected.
I've searche the firewalld configuration files in /usr/lib/firewalld and /etc/firewalld and can find no reference to any icmp rule. The two machines were cloned originally from the same VM. Why are they different?
How can I remove the reject-with icmp rule using firewalld. I can remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ] 4" and I can then ping that machine. But of course the rule is returned whenever firewalld is restarted.
Emmett _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
What is the output off: firewall-cmd --list-all on the VMs?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
That was the clue I needed. On the first machine:
target: %%REJECT%% icmp-block-inversion: no interfaces: eth0 sources: services: ftp_passiv http ssh https ftps ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
And the second:
target: default icmp-block-inversion: no interfaces: eth0 sources: services: ftp_passiv http ssh https ftps ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Changing the target to "default" instead of "%%REJECT%%" by setting the zone policy to default in firewalld-config fixed it. NOt sure whay that would be, but I am happy with the result.
Thanks!
On 12/19/2017 3:55 PM, Emmett Culley wrote:
That was the clue I needed.
I'm fighting a firewalld mystery myself, mostly a result of not really understanding the philosophy of the thing and trying to sleuth it out by black boxing it. But fortunately this is open source, so I'm also grepping the firewalld sources to figure out where these mysteries are coming from:
https://github.com/firewalld/firewalld
firewalld creates a lot of iptables/netfilter rules, which makes it hard to follow what's going on. I may cobble together a netfilter visualization tool that will take iptables-save and convert it into a graph in GraphViz dot file format to try to figure out what's going on. I found a Python program that seems like a partial attempt to create this, but it seems incomplete. The dot files lack connections between the chains so I just get a bunch of floating bubbles with chain names. The program assumes that uppercase chain names are terminal nodes, and firewalld loves to create chains with uppercase names.
-
Emmett Culley -
Kenneth Porter -
Louis Lagendijk