On Wed, May 09, 2018 at 08:58:29AM -0400, Eric Garver wrote:
On Tue, May 08, 2018 at 09:32:55PM -0300, Marcelo Ricardo Leitner
wrote:
> Hi,
>
> I'm trying to use
> # firewall-cmd --set-automatic-helpers=no
> to have it to only assign the expected helpers, as it is more secure.
>
> The protocol I'm interested is FTP. The gateway in question doesn't
> provide any FTP service, but at the same time, it seems I cannot get
> firewalld to add the CT iptables rule if I don't add the FTP service
> to the zone ('internal' one, fwiw), which in turn also allows INPUT of
> such packets but that's not wanted.
>
> Is there a way that I can allow it to assign the helper, without
> having to allow the INPUT for such service?
I think so. Take a look at /usr/lib/firewalld/services/ftp.xml. It
defines a "port" and a "helper". The helper also defines a helper
port.
The "port" corresponds to the rule in the filter,INPUT chain. The
"helper" corresponds to the rule in the raw,PREROUTING chain.
So you can create a new service without the "port" line.
e.g.
# grep -v 'port="21"' /usr/lib/firewalld/services/ftp.xml >
/etc/firewalld/services/ftp-gateway.xml
# firewall-cmd --permanent --zone=<zone> --remove-service=ftp
# firewall-cmd --permanent --zone=<zone> --add-service=ftp-gateway
# firewall-cmd --reload
Btw, after applying these for zone 'internal', something happened and
the zone lost all its configs except for the newly added ftp-gateway
service.
I tried reproducing, but it didn't happen again, and couldn't spot
anything odd in the logs. I'm mentioning because it's not the first
time this happened with me, but too bad I don't have more information.
Marcelo