Thanks for the sharp eye and explanation!
Is there a way to make firewalld accept the RST flagged connections?
Thanks and regards,
Koen
On 07/03/2022 08:25, Andrei Borzenkov wrote:
> On 07.03.2022 01:26, Koen Drai wrote:
>> Hi,
>>
>> I am running an AdGuard Home DNS server in my home network (on Debian 11, which
is v0.9.3).
>>
>> Works fine so far, but I am getting the following error messages in syslog:
>> Mar 6 20:48:33 fook kernel: [160941.334608] "filter_IN_knet_REJECT:
"IN=enp2s0 OUT= MAC=<MAC> SRC=5.9.164.112 DST=192.168.1.1 LEN=40 TOS=0x00
PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=853 DPT=46170 WINDOW=0 RES=0x00 RST URGP=0
>>
>
> Packet has TCP RST flag.
>
>> However, this request should not be rejected according to the configuration:
>>
>> /etc/firewalld/zones/knet.xml
>> (...)
>> <rule family="ipv4">
>> <!-- 853 TCP AdGuard Home-->
>> <source-port port="853" protocol="tcp"/>
>> <accept/>
>> </rule>
>> (...)
>>
>>
>> --list-all:
>> (...)
>> rich rules:
>> (...)
>> rule family="ipv4" source-port port="853"
protocol="tcp" accept
>> (...)
>>
>>
>> Similar behavior for source-port 443 TCP.
>>
>>
>> Am I missing something?
>
> Firewalld configures netfilter to accept initial packets (SYN flag for
> TCP) and related packets (for which connection was established).
> Apparently host sends RST without previously established connection. It
> may happen. You can check see currently tracked connections in
> /proc/net/nf_conntrack.
>
>> Is this a known error (and fixed in a later version?)?
>>
>
> There is no bug here.
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure