Score:1

firewalld: blocking outgoing connections blocks also incomming connections

in flag

log4shell has caused us to improve the security of some servers. We want now also block outgoing traffic (as possible). The current firewall rules are:

/> firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client https smtp ssh
  ports: 143/tcp 3000/tcp 4949/tcp 8080/tcp 12999/tcp 25/tcp 1194/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

So at example connections to the server via ssh are currently possible (and should be still possible in the future). Now we want to prevent all outgoing connections except connections through https (443). To do that we have add some firewalld rules (see also https://serverfault.com/a/624474/145652):

/> firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j ACCEPT
success
/> firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
success
/> firewall-cmd --reload

But after these commands, we will lose all connections to server: no ping, no ssh, the server don't accepts any connection. Possible that firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP is blocking all outgoing traffic, including the servers answer of incoming (ssh-) requests? Is there a rule missing to allow sending the answer data of incoming requests?

A.B avatar
cl flag
A.B
Using direct rules barely qualifies as using firewalld. It's more bypassing it (with low priority values) than using it.
Score:2
cn flag

I'm just spinning up an instance to test, but I suspect it's because you're not allowing related/established outbound rules as well, so the kernel is killing your existing connections.

Update: I'm sure this is the problem. I just tested it by booting Centos 7 on an EC2 instance, installing FirewallD, and then pasting in your first rule without the permanent flag. All working okay.

As soon as I pasted in the DROP rule, I got disconnected.

In the link you provided, the first rule they add is an ESTABLISHED,RELATED rule. This means that connections that are allowed in are allowed out (so the firewall is stateful). Without that rule, you have no stateful rules and your SSH connection can't establish.

So your actual list of rules needs to be:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

Note I've included HTTP, HTTPS, and DNS as well - else connections won't establish to DNS names because the server won't be able to resolve them...

in flag
In the link I provide, I had only read the accepted answer. But sometimes it's a good idea to read more as only the accepted answer or the answer with the most upvotes - lol. Thanks!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.