On Tue, May 08, 2018 at 09:32:55PM -0300, Marcelo Ricardo Leitner wrote:
Hi,
I'm trying to use
# firewall-cmd --set-automatic-helpers=no
to have it to only assign the expected helpers, as it is more secure.
The protocol I'm interested is FTP. The gateway in question doesn't
provide any FTP service, but at the same time, it seems I cannot get
firewalld to add the CT iptables rule if I don't add the FTP service
to the zone ('internal' one, fwiw), which in turn also allows INPUT of
such packets but that's not wanted.
Is there a way that I can allow it to assign the helper, without
having to allow the INPUT for such service?
I think so. Take a look at /usr/lib/firewalld/services/ftp.xml. It
defines a "port" and a "helper". The helper also defines a helper
port.
The "port" corresponds to the rule in the filter,INPUT chain. The
"helper" corresponds to the rule in the raw,PREROUTING chain.
So you can create a new service without the "port" line.
e.g.
# grep -v 'port="21"' /usr/lib/firewalld/services/ftp.xml >
/etc/firewalld/services/ftp-gateway.xml
# firewall-cmd --permanent --zone=<zone> --remove-service=ftp
# firewall-cmd --permanent --zone=<zone> --add-service=ftp-gateway
# firewall-cmd --reload
Hope that helps.
Eric.