Hello, I have a web server that port 22,80 and 443 of it is opened in firewalld, I added below rules and lost everything:
# firewall-cmd --permanent --direct --add-rule \ ipv4 filter INPUT 0 -j NFQUEUE # firewall-cmd --permanent --direct --add-rule \ ipv4 filter OUTPUT 0 -j NFQUEUE # firewall-cmd --reload
I can't connect to my server and my web site take down too. How can I correct or delete these rules? I added these rules because of IPS: https://forum.suricata.io/t/guide-getting-started-on-centos-8-and-centos-7/5...
Thank you.
On Fri, Sep 11, 2020 at 08:27:54PM -0000, Jason Long wrote:
Hello, I have a web server that port 22,80 and 443 of it is opened in firewalld, I added below rules and lost everything:
# firewall-cmd --permanent --direct --add-rule \ ipv4 filter INPUT 0 -j NFQUEUE # firewall-cmd --permanent --direct --add-rule \ ipv4 filter OUTPUT 0 -j NFQUEUE
AFAIK, NFQUEUE action holds the packet and sends a copy to userspace. Userspace must issue a verdict. If no userspace is listening to NF_QUEUE then the packets will be dropped. So your traffic being dropped makes sense.
Maybe add the `--queue-bypass` options. With this if no userspace is listening the packet will be accepted instead of dropped.
# firewall-cmd --reload
I can't connect to my server and my web site take down too. How can I correct or delete these rules?
Two options:
1. Use firewall-offline-cmd ``` # firewall-offline-cmd --direct --remove-rule ipv4 filter INPUT 0 -j NFQUEUE # firewall-offline-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -j NFQUEUE ```
2. manually edit `/etc/firewalld/direct.xml` - remove the direct XML elements that correspond to your direct rules above
Thank you. I added "--queue-bypass" at the end of each lines in "direct.xml" file and problem solved, but this parameter doesn't affect to my Firewalld rules? Everything working properly?
On Fri, Sep 18, 2020 at 11:55:40AM -0000, Jason Long wrote:
Thank you. I added "--queue-bypass" at the end of each lines in "direct.xml" file and problem solved, but this parameter doesn't affect to my Firewalld rules?
It does not affect firewalld's rules.
Everything working properly?
Depends. The implications are:
if FirewallBackend=iptables, then - firewalld's rules are bypassed. packet immediately accepted.
if FirewallBackend=nftables, then - packet still subject to firewalld's rules. It may be dropped or accepted by firewalld.
firewalld-users@lists.fedorahosted.org