Hi,
We debugged in #firewalld.
As show by the firewalld logs, conntrack (kernel) was considering some
of the packets as invalid.
Firewalld has this rule:
ct state { invalid } drop
which seems to be the cause of your dropped traffic.
Now, why conntrack is considering the packets as invalid? I don't know.
Usually there is a good reason, e.g. invalid TCP headers. If TCP headers
really are invalid I expect the client to throw the packet away even if
firewalld is not running.
Is it only a subset of services (e.g. facebook/apple) or all web
traffic?
Eric.
On Sun, May 03, 2020 at 11:59:53PM -0000, Amarand Agasi wrote:
Recently, my Firewalld updated to 0.7.0_5, likely when I upgraded
from CentOS 8.0 to 8.1.
Everything was working fine since I started using Firewalld under CentOS 7, I believe.
For the past few weeks, I was having issues on my network with connecting to services
like Facebook and Apple. I could get to the main https page, but when it would try to pull
another page (like Facebook has its content page, or Apple has its SSO page), browsers
would just spin.
I had a test laptop which I could reproduce the issue on, and when I plugged it directly
into the cable modem, the issue went away.
So, we know it's the firewall/configuration.
I've spent about a week working on this, posted a post over in CentOS forum, even
opened a bug report:
https://forums.centos.org/viewtopic.php?f=56&t=74241
https://bugs.centos.org/view.php?id=17310
To summarize the the data:
After enabling the logging in firewalld, the firewall is blocking a lot of items it
shouldn't be:
1) All of the Internal devices should have free access to the server.
2) All of the Internal devices should have full access to the Internet.
3) Once a connection is established between the Internal system and an External
(Internet) system, those related packets should be accepted.
4) All external traffic (besides a very specific rule allowing ssh from one class-C
Internet subnet, and http/https) should be blocked.
What I'm looking for is, with every other previous iteration of Red Hat and CentOS,
I've been able to locate good examples of how to configure NAT and masquerade. A basic
home router. ipchains, iptables, firewall builder, and now, nftables and firewalld. But I
can't find a good "how to" on how to properly set-up nftables and
firewalld.
I love firewalld's management, both commandline and GUI (with firewall-config), but
right now, things are broken.
Initially, I suspected it was either an issue with helpers (AutomaticHelpers), or an
issue with the AllowZoneDrifting that just changed, seeing as it's blocking return
packets.
But it's also blocking some internal packets as well (which it shouldn't be), as
well as mutlicast internal, and some other weird stuff.
Is there something I'm missing?
I've spent the entire week banging my head against this, clearing out firewalld
rules, rebooting, starting from scratch again, making it possibly worse. I'm not
sure. I'd love some help, though.
Thanks!
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...