0

I am running Centos Stream 9 on VMware. I recently used dnf update and now there is a weird problem that some ping-replies are stopped by the firewalld. If I stop the firewall, ping works ok.

The problem presents itself like this:

  1. I ping from the server "SRV" to address say 10.0.0.1 and it responds
  2. I ping from the same server 10.0.0.2 and that does not respond
  3. I can telnet to the 10.0.0.2 no problem, so the problem only applies to icmp
  4. I disable the firewalld on the server SRV and now both respond

I enabled the denied logs and I get this kind of entries SRV kernel: STATE_INVALID_DROP: IN=ens192 OUT= MAC=00:50:56:bc:2b:5e:43:36:95:ea:a1:51:08:00 SRC=10.0.0.2 DST=10.11.1.220 LEN=84 TOS=0x00 PREC=0x00 TTL=248 ID=23909 PROTO=ICMP TYPE=0 CODE=3 ID=51479 SEQ=7

Basically the firewall blocks these specific IP-addresses as INVALID state. How it chooses the IP-addresses seem to be quite random.

As I see it this could be conntrack issue? Is there a way to force allow those ICMP-messages through? The server SRV is hosting a zabbix server that pings a lot of addresses so it is kinda bummer that it chooses to block some ICMP-replies as invalid state.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Teemu Sa
  • 1
  • 1
  • You should provide the results of a tcpdump command (with one -v) of the capture of both packets (query and answer) on the system doing this firewall log, along the log. So we can check if something is wrong (eg: reply source isn't the expected reply source, or id got changed etc.). `conntrack -E -p icmp` could also help (instead of tcpdump) – A.B Apr 01 '23 at 07:40

0 Answers0