Hi, I'm trying to use # firewall-cmd --set-automatic-helpers=no to have it to only assign the expected helpers, as it is more secure. The protocol I'm interested is FTP. The gateway in question doesn't provide any FTP service, but at the same time, it seems I cannot get firewalld to add the CT iptables rule if I don't add the FTP service to the zone ('internal' one, fwiw), which in turn also allows INPUT of such packets but that's not wanted. Is there a way that I can allow it to assign the helper, without having to allow the INPUT for such service?

On Tue, May 08, 2018 at 09:32:55PM -0300, Marcelo Ricardo Leitner wrote: > Hi, > > I'm trying to use > # firewall-cmd --set-automatic-helpers=no > to have it to only assign the expected helpers, as it is more secure. > > The protocol I'm interested is FTP. The gateway in question doesn't > provide any FTP service, but at the same time, it seems I cannot get > firewalld to add the CT iptables rule if I don't add the FTP service > to the zone ('internal' one, fwiw), which in turn also allows INPUT of > such packets but that's not wanted. > > Is there a way that I can allow it to assign the helper, without > having to allow the INPUT for such service? I think so. Take a look at /usr/lib/firewalld/services/ftp.xml. It defines a "port" and a "helper". The helper also defines a helper port. The "port" corresponds to the rule in the filter,INPUT chain. The "helper" corresponds to the rule in the raw,PREROUTING chain. So you can create a new service without the "port" line. e.g. # grep -v 'port="21"' /usr/lib/firewalld/services/ftp.xml > /etc/firewalld/services/ftp-gateway.xml # firewall-cmd --permanent --zone=<zone> --remove-service=ftp # firewall-cmd --permanent --zone=<zone> --add-service=ftp-gateway # firewall-cmd --reload

On Wed, May 09, 2018 at 03:50:27PM -0300, Marcelo Ricardo Leitner wrote: > On Wed, May 09, 2018 at 08:58:29AM -0400, Eric Garver wrote: > > On Tue, May 08, 2018 at 09:32:55PM -0300, Marcelo Ricardo Leitner wrote: > > > Hi, > > > > > > I'm trying to use > > > # firewall-cmd --set-automatic-helpers=no > > > to have it to only assign the expected helpers, as it is more secure. > > > > > > The protocol I'm interested is FTP. The gateway in question doesn't > > > provide any FTP service, but at the same time, it seems I cannot get > > > firewalld to add the CT iptables rule if I don't add the FTP service > > > to the zone ('internal' one, fwiw), which in turn also allows INPUT of > > > such packets but that's not wanted. > > > > > > Is there a way that I can allow it to assign the helper, without > > > having to allow the INPUT for such service? > > > > I think so. Take a look at /usr/lib/firewalld/services/ftp.xml. It > > defines a "port" and a "helper". The helper also defines a helper port. > > The "port" corresponds to the rule in the filter,INPUT chain. The > > "helper" corresponds to the rule in the raw,PREROUTING chain. > > > > So you can create a new service without the "port" line. > > e.g. > > > > # grep -v 'port="21"' /usr/lib/firewalld/services/ftp.xml > /etc/firewalld/services/ftp-gateway.xml > > # firewall-cmd --permanent --zone=<zone> --remove-service=ftp > > # firewall-cmd --permanent --zone=<zone> --add-service=ftp-gateway > > # firewall-cmd --reload > > Btw, after applying these for zone 'internal', something happened and > the zone lost all its configs except for the newly added ftp-gateway > service. > > I tried reproducing, but it didn't happen again, and couldn't spot > anything odd in the logs. I'm mentioning because it's not the first > time this happened with me, but too bad I don't have more information. There was a bug [0] where using --set-log-denied or --automatic-helpers could cause a zones configuration to be zeroed. It was fixed in upstream v0.5.0 and RHEL firewalld-0.4.4.4-13.el7. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1514043