Hi,
Not sure if I am missing something, but I keep running into connections being rejected that should be accepted from how I (think I :)) have defined the rules. I somehow get the feeling that the behavior below is related to nft rules only containing "new, untracked" but not related and established.
Googled if there is a way to add these two states to rules, but did not find anything. A direct rule might help, but since these are discouraged for futureproofness, trying to figure out the "right" way.
Working on a Debian 11 system, nftables backend.
Example 1, syncthing: zone file knet.xml, amongst others:
<service name="syncthing"/> <source-port port="22000" protocol="tcp"/> <source-port port="22000" protocol="udp"/> <rule family="ipv4"> <source address="192.168.1.1/24"/> <port port="22000" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.1/24"/> <port port="22000" protocol="udp"/> <accept/> </rule>
Nicely translated into the nft ruleset (amongst others):
ip saddr 192.168.1.0/24 tcp dport 22000 ct state { new, untracked } accept ip saddr 192.168.1.0/24 udp dport 22000 ct state { new, untracked } accept
However, I still get these errors in syslog:
filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<ANOM> SRC=192.168.1.54 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33526 DF PROTO=TCP SPT=22000 DPT=22000 WINDOW=65535 RES=0x00 SYN
Example 2, Apache as an https proxy: <rule family="ipv4"> <source address="192.168.1.13"/> <source-port port="443" protocol="tcp"/> <accept/> </rule>
ip saddr 192.168.1.13 tcp sport 443 ct state { new, untracked } accept
"filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<ANOM> SRC=192.168.1.13 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=443 DPT=34860 WINDOW=0 RES=0x00 RST URGP=0
What's going on here?
Thanks a lot for your help and best regards
firewalld-users@lists.fedorahosted.org