Linux firewalld - I can hit port 4506, but my configuration shouldn't let me

Question

Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?

# firewall-cmd --list-all-zones

firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 156.9.122.0/24
  services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
  ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

# iptables -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
28874 7345K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  205 36869 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  117 12145 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117 12145 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  112 11773 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   21  4809 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target     prot opt in     out     source               destination         
29114 7722K OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  *      *       156.9.122.0/24       0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      *       0.0.0.0/0            156.9.122.0/24      [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  112 11773 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   372 IN_public  all  --  *      *       156.9.122.0/24       0.0.0.0/0           [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  117 12145 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117 12145 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117 12145 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   252 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7084 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 25/min burst 100
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:88 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:88 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:636 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:389 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7902 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8014 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7903 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8089 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:463 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7899 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7898 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7900 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:52311 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7901 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1584 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1585 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:463 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

Did someone manually alter the firewall? Check with `iptables -nvL` — Michael Hampton, Apr 05 '19 at 18:15
@Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually. — Adam vonNieda, Apr 05 '19 at 18:18
I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this? — Michael Hampton, Apr 05 '19 at 18:21
I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506. — Adam vonNieda, Apr 05 '19 at 18:50

score 2 · Accepted Answer · answered Apr 05 '19 at 20:52

This seems to be the rule that allows such traffic:

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7084 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 25/min burst 100

Starting from the INPUT chain:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
28874 7345K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  205 36869 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  117 12145 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117 12145 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  112 11773 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   372 IN_public  all  --  *      *       156.9.122.0/24       0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  112 11773 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]

Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  117 12145 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117 12145 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117 12145 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0

IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7084 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 25/min burst 100

All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.

Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.

Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld. — Adam vonNieda, Apr 05 '19 at 20:57
OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist. — Adam vonNieda, Apr 06 '19 at 00:34
That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it? — Michael Hampton, Apr 06 '19 at 00:52
@Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark. — Adam vonNieda, Apr 06 '19 at 03:13
Turns out the rule was in /etc/firewalld/direct.xml, possibly as part of a STIG of the OS. — Adam vonNieda, Apr 09 '19 at 15:14

Adam vonNieda · Answer 2 · 2019-04-11T17:08:57.720

In my testing, this rule provided by Redhat was invalid. Since the rule does not seem to be in the STIG documentation any more, I'm just removing it.

[root@d1dd-trdev-rv01 ~]# cat /etc/firewalld/direct.xml

<?xml version="1.0" encoding="utf-8"?> 
<direct>
<rule priority="0" table="filter" ipv="ipv4" chain="IN_public_allow">-p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES</rule> 
</direct>

[root@d1dd-trdev-rv01 ~]# firewall-cmd --reload

Error: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 3 failed

Note that the below DID NOT WORK. leaving for reference.

I got confirmation today from Redhat that the rule @Michael Hampton pointed out was in fact from the /etc/firewalld/direct.xml, and it was a bug in the STIG documentation. The docs said to use this (note the ACCEPT)

<?xml version="1.0" encoding="utf-8"?> 
<direct>
 <rule priority="0" table="filter" ipv="ipv4" chain="IN_public_allow">-p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</rule> 
</direct>

When you should be using this (note the INPUT_ZONES)

<?xml version="1.0" encoding="utf-8"?> 
<direct>
 <rule priority="0" table="filter" ipv="ipv4" chain="IN_public_allow">-p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES</rule> 
</direct>

The RH guy said he'd seen it before and was trying to get DISA to change the STIG. When I was searching for a solution I found reference to the draft RH7 STIG, and when I looked at the current one (v2), I did not find an entry for this at all. So maybe they removed it for the time being. — Adam vonNieda, Apr 11 '19 at 01:09

Linux firewalld - I can hit port 4506, but my configuration shouldn't let me

2 Answers2