Hello, I removed all rich rules, but "direct.xml" file has below lines:
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --set</rule> <rule priority="1" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset</rule>
Why? Could below lines cause drop any connection to server?
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-j NFQUEUE --queue-bypass</rule> <rule priority="0" table="filter" ipv="ipv4" chain="OUTPUT">-j NFQUEUE --queue-bypass</rule>
For example, I can't SSH to server.
Thank you.
On Tue, Jan 12, 2021 at 10:51:58PM -0000, Jason Long wrote:
Hello, I removed all rich rules, but "direct.xml" file has below lines:
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --set</rule> <rule priority="1" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset</rule>
Why? Could below lines cause drop any connection to server?
Yes.
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-j NFQUEUE --queue-bypass</rule> <rule priority="0" table="filter" ipv="ipv4" chain="OUTPUT">-j NFQUEUE --queue-bypass</rule>
See the man page for iptables-extensions.
These two rules send the packet to a userspace application if one is waiting for them. If there is no userspace socket open, then the behave like like "-j ACCEPT".
These rules are also effectively render firewalld useless. I don't know what you're trying to do, but maybe you should reconsider.
For example, I can't SSH to server.
Thank you. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Thank you. I installed Suricata-IDS in IPS mode and that rules are needed. Thus, a tool like Suricata-IDS make Firewalld useless?
On Wednesday, January 13, 2021, 04:13:58 AM GMT+3:30, Eric Garver egarver@redhat.com wrote:
On Tue, Jan 12, 2021 at 10:51:58PM -0000, Jason Long wrote:
Hello, I removed all rich rules, but "direct.xml" file has below lines:
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --set</rule> <rule priority="1" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset</rule>
Why? Could below lines cause drop any connection to server?
Yes.
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-j NFQUEUE --queue-bypass</rule> <rule priority="0" table="filter" ipv="ipv4" chain="OUTPUT">-j NFQUEUE --queue-bypass</rule>
See the man page for iptables-extensions.
These two rules send the packet to a userspace application if one is waiting for them. If there is no userspace socket open, then the behave like like "-j ACCEPT".
These rules are also effectively render firewalld useless. I don't know what you're trying to do, but maybe you should reconsider.
For example, I can't SSH to server.
Thank you. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
On Wed, Jan 13, 2021 at 09:03:56AM +0000, Jason Long wrote:
Thank you. I installed Suricata-IDS in IPS mode and that rules are needed. Thus, a tool like Suricata-IDS make Firewalld useless?
I have no idea. I've never used or researched Suricata.
On Wednesday, January 13, 2021, 04:13:58 AM GMT+3:30, Eric Garver egarver@redhat.com wrote:
On Tue, Jan 12, 2021 at 10:51:58PM -0000, Jason Long wrote:
Hello, I removed all rich rules, but "direct.xml" file has below lines:
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --set</rule> <rule priority="1" table="filter" ipv="ipv4" chain="INPUT_direct">-p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset</rule>
Why? Could below lines cause drop any connection to server?
Yes.
 <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-j NFQUEUE --queue-bypass</rule>  <rule priority="0" table="filter" ipv="ipv4" chain="OUTPUT">-j NFQUEUE --queue-bypass</rule>
See the man page for iptables-extensions.
These two rules send the packet to a userspace application if one is waiting for them. If there is no userspace socket open, then the behave like like "-j ACCEPT".
These rules are also effectively render firewalld useless. I don't know what you're trying to do, but maybe you should reconsider.
For example, I can't SSH to server.
Thank you. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users@lists.fedorahosted.org