On Wed, May 09, 2018 at 03:50:27PM -0300, Marcelo Ricardo Leitner
wrote:
> On Wed, May 09, 2018 at 08:58:29AM -0400, Eric Garver wrote:
> > On Tue, May 08, 2018 at 09:32:55PM -0300, Marcelo Ricardo Leitner wrote:
> > > Hi,
> > >
> > > I'm trying to use
> > > # firewall-cmd --set-automatic-helpers=no
> > > to have it to only assign the expected helpers, as it is more secure.
> > >
> > > The protocol I'm interested is FTP. The gateway in question
doesn't
> > > provide any FTP service, but at the same time, it seems I cannot get
> > > firewalld to add the CT iptables rule if I don't add the FTP service
> > > to the zone ('internal' one, fwiw), which in turn also allows
INPUT of
> > > such packets but that's not wanted.
> > >
> > > Is there a way that I can allow it to assign the helper, without
> > > having to allow the INPUT for such service?
> >
> > I think so. Take a look at /usr/lib/firewalld/services/ftp.xml. It
> > defines a "port" and a "helper". The helper also defines a
helper port.
> > The "port" corresponds to the rule in the filter,INPUT chain. The
> > "helper" corresponds to the rule in the raw,PREROUTING chain.
> >
> > So you can create a new service without the "port" line.
> > e.g.
> >
> > # grep -v 'port="21"' /usr/lib/firewalld/services/ftp.xml
> /etc/firewalld/services/ftp-gateway.xml
> > # firewall-cmd --permanent --zone=<zone> --remove-service=ftp
> > # firewall-cmd --permanent --zone=<zone> --add-service=ftp-gateway
> > # firewall-cmd --reload
>
> Btw, after applying these for zone 'internal', something happened and
> the zone lost all its configs except for the newly added ftp-gateway
> service.
>
> I tried reproducing, but it didn't happen again, and couldn't spot
> anything odd in the logs. I'm mentioning because it's not the first
> time this happened with me, but too bad I don't have more information.
There was a bug [0] where using --set-log-denied or --automatic-helpers
could cause a zones configuration to be zeroed. It was fixed in upstream
v0.5.0 and RHEL firewalld-0.4.4.4-13.el7.
[0]
https://bugzilla.redhat.com/show_bug.cgi?id=1514043
That's probably it then, as I have --set-log-denied.
Cool, thanks!
Marcelo