How to change default firewalld behaviour to drop all established connections on reload

Maksat Baigazy

9/19/23, 9:58 AM

I have a web-server and sshd services running and listening for connections on their ports. What I want to achieve is when I change my zone from public to something that prohibits ports 22 or 443, my current connections will expire. Right now after prohibiting those ports and reloading firewalld, connections are still alive.

I think this can be achieved by adding a direct rule, but I don't know how the rule should look like and how to put it on top.

0 + 0

linux

iptables

firewalld

Score:0

Server

A.B

9/21/23, 9:35 AM

From firewalld manpage:

--reload

Reload firewall rules and keep state information. [...]

--complete-reload

Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. [...]

So doing firewall-cmd --complete-reload would be a heavy method that does the trick. Actually it should not terminate established TCP connections which are still allowed in the new ruleset, thanks to net.netfilter.nf_conntrack_tcp_loose = 1 (they should go back through NEW->ESTABLISHED without connectivity loss).

But rather than this, it's easier to simply delete Netfilter's conntrack state with the dedicated tool: conntrack (requires installing a package usually named conntrack or conntrack-tools).

conntrack -F

or doing it selectively (additional options like address ranges can make it more selective):

conntrack -D -p tcp --dport 443; conntrack -D -p tcp --dport 22

0 + 0

Maksat Baigazy

9/23/23, 4:47 AM

Thank you very much, this is what I actually did and it worked like a charm!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to change default firewalld behaviour to drop all established connections on reload

TH: วิธีเปลี่ยนพฤติกรรมเริ่มต้นของไฟร์วอลล์เพื่อยกเลิกการเชื่อมต่อที่สร้างไว้ทั้งหมดเมื่อโหลดซ้ำ

RO: Cum se schimbă comportamentul firewalld implicit pentru a elimina toate conexiunile stabilite la reîncărcare

RU: Как изменить поведение firewalld по умолчанию, чтобы сбросить все установленные соединения при перезагрузке

VI: Cách thay đổi hành vi tường lửa mặc định để loại bỏ tất cả các kết nối đã thiết lập khi tải lại

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.