I am running Centos Stream 9 on VMware. I recently used dnf update and now there is a weird problem that some ping-replies are stopped by the firewalld. If I stop the firewall, ping works ok.
The problem presents itself like this:
- I ping from the server "SRV" to address say 10.0.0.1 and it responds
- I ping from the same server 10.0.0.2 and that does not respond
- I can telnet to the 10.0.0.2 no problem, so the problem only applies to icmp
- I disable the firewalld on the server SRV and now both respond
I enabled the denied logs and I get this kind of entries
SRV kernel: STATE_INVALID_DROP: IN=ens192 OUT= MAC=00:50:56:bc:2b:5e:43:36:95:ea:a1:51:08:00 SRC=10.0.0.2 DST=10.11.1.220 LEN=84 TOS=0x00 PREC=0x00 TTL=248 ID=23909 PROTO=ICMP TYPE=0 CODE=3 ID=51479 SEQ=7
Basically the firewall blocks these specific IP-addresses as INVALID state. How it chooses the IP-addresses seem to be quite random.
As I see it this could be conntrack issue? Is there a way to force allow those ICMP-messages through? The server SRV is hosting a zabbix server that pings a lot of addresses so it is kinda bummer that it chooses to block some ICMP-replies as invalid state.
