Recently, my Firewalld updated to 0.7.0_5, likely when I upgraded from CentOS 8.0 to 8.1.
Everything was working fine since I started using Firewalld under CentOS 7, I believe.
For the past few weeks, I was having issues on my network with connecting to services like Facebook and Apple. I could get to the main https page, but when it would try to pull another page (like Facebook has its content page, or Apple has its SSO page), browsers would just spin.
I had a test laptop which I could reproduce the issue on, and when I plugged it directly into the cable modem, the issue went away.
So, we know it's the firewall/configuration.
I've spent about a week working on this, posted a post over in CentOS forum, even opened a bug report:
https://forums.centos.org/viewtopic.php?f=56&t=74241 https://bugs.centos.org/view.php?id=17310
To summarize the the data:
After enabling the logging in firewalld, the firewall is blocking a lot of items it shouldn't be:
1) All of the Internal devices should have free access to the server. 2) All of the Internal devices should have full access to the Internet. 3) Once a connection is established between the Internal system and an External (Internet) system, those related packets should be accepted. 4) All external traffic (besides a very specific rule allowing ssh from one class-C Internet subnet, and http/https) should be blocked.
What I'm looking for is, with every other previous iteration of Red Hat and CentOS, I've been able to locate good examples of how to configure NAT and masquerade. A basic home router. ipchains, iptables, firewall builder, and now, nftables and firewalld. But I can't find a good "how to" on how to properly set-up nftables and firewalld.
I love firewalld's management, both commandline and GUI (with firewall-config), but right now, things are broken.
Initially, I suspected it was either an issue with helpers (AutomaticHelpers), or an issue with the AllowZoneDrifting that just changed, seeing as it's blocking return packets.
But it's also blocking some internal packets as well (which it shouldn't be), as well as mutlicast internal, and some other weird stuff.
Is there something I'm missing?
I've spent the entire week banging my head against this, clearing out firewalld rules, rebooting, starting from scratch again, making it possibly worse. I'm not sure. I'd love some help, though.
Thanks!
Hi,
We debugged in #firewalld.
As show by the firewalld logs, conntrack (kernel) was considering some of the packets as invalid.
Firewalld has this rule:
ct state { invalid } drop
which seems to be the cause of your dropped traffic.
Now, why conntrack is considering the packets as invalid? I don't know. Usually there is a good reason, e.g. invalid TCP headers. If TCP headers really are invalid I expect the client to throw the packet away even if firewalld is not running.
Is it only a subset of services (e.g. facebook/apple) or all web traffic?
Eric.
On Sun, May 03, 2020 at 11:59:53PM -0000, Amarand Agasi wrote:
Recently, my Firewalld updated to 0.7.0_5, likely when I upgraded from CentOS 8.0 to 8.1.
Everything was working fine since I started using Firewalld under CentOS 7, I believe.
For the past few weeks, I was having issues on my network with connecting to services like Facebook and Apple. I could get to the main https page, but when it would try to pull another page (like Facebook has its content page, or Apple has its SSO page), browsers would just spin.
I had a test laptop which I could reproduce the issue on, and when I plugged it directly into the cable modem, the issue went away.
So, we know it's the firewall/configuration.
I've spent about a week working on this, posted a post over in CentOS forum, even opened a bug report:
https://forums.centos.org/viewtopic.php?f=56&t=74241 https://bugs.centos.org/view.php?id=17310
To summarize the the data:
After enabling the logging in firewalld, the firewall is blocking a lot of items it shouldn't be:
- All of the Internal devices should have free access to the server.
- All of the Internal devices should have full access to the Internet.
- Once a connection is established between the Internal system and an External (Internet) system, those related packets should be accepted.
- All external traffic (besides a very specific rule allowing ssh from one class-C Internet subnet, and http/https) should be blocked.
What I'm looking for is, with every other previous iteration of Red Hat and CentOS, I've been able to locate good examples of how to configure NAT and masquerade. A basic home router. ipchains, iptables, firewall builder, and now, nftables and firewalld. But I can't find a good "how to" on how to properly set-up nftables and firewalld.
I love firewalld's management, both commandline and GUI (with firewall-config), but right now, things are broken.
Initially, I suspected it was either an issue with helpers (AutomaticHelpers), or an issue with the AllowZoneDrifting that just changed, seeing as it's blocking return packets.
But it's also blocking some internal packets as well (which it shouldn't be), as well as mutlicast internal, and some other weird stuff.
Is there something I'm missing?
I've spent the entire week banging my head against this, clearing out firewalld rules, rebooting, starting from scratch again, making it possibly worse. I'm not sure. I'd love some help, though.
Thanks! _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users@lists.fedorahosted.org