On Wed, May 09, 2018 at 03:50:27PM -0300, Marcelo Ricardo Leitner wrote:
On Wed, May 09, 2018 at 08:58:29AM -0400, Eric Garver wrote:
> On Tue, May 08, 2018 at 09:32:55PM -0300, Marcelo Ricardo Leitner wrote:
> > Hi,
> >
> > I'm trying to use
> > # firewall-cmd --set-automatic-helpers=no
> > to have it to only assign the expected helpers, as it is more secure.
> >
> > The protocol I'm interested is FTP. The gateway in question doesn't
> > provide any FTP service, but at the same time, it seems I cannot get
> > firewalld to add the CT iptables rule if I don't add the FTP service
> > to the zone ('internal' one, fwiw), which in turn also allows INPUT of
> > such packets but that's not wanted.
> >
> > Is there a way that I can allow it to assign the helper, without
> > having to allow the INPUT for such service?
>
> I think so. Take a look at /usr/lib/firewalld/services/ftp.xml. It
> defines a "port" and a "helper". The helper also defines a
helper port.
> The "port" corresponds to the rule in the filter,INPUT chain. The
> "helper" corresponds to the rule in the raw,PREROUTING chain.
>
> So you can create a new service without the "port" line.
> e.g.
>
> # grep -v 'port="21"' /usr/lib/firewalld/services/ftp.xml >
/etc/firewalld/services/ftp-gateway.xml
> # firewall-cmd --permanent --zone=<zone> --remove-service=ftp
> # firewall-cmd --permanent --zone=<zone> --add-service=ftp-gateway
> # firewall-cmd --reload
Btw, after applying these for zone 'internal', something happened and
the zone lost all its configs except for the newly added ftp-gateway
service.
I tried reproducing, but it didn't happen again, and couldn't spot
anything odd in the logs. I'm mentioning because it's not the first
time this happened with me, but too bad I don't have more information.
There was a bug [0] where using --set-log-denied or --automatic-helpers
could cause a zones configuration to be zeroed. It was fixed in upstream
v0.5.0 and RHEL firewalld-0.4.4.4-13.el7.
[0]
https://bugzilla.redhat.com/show_bug.cgi?id=1514043