'Rejections of related/established connections?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalld-users
Subject:    Rejections of related/established connections?
From:       Koen Drai <koen.drai () gmail ! com>
Date:       2022-02-07 22:00:21
Message-ID: b122f93c-5715-e710-fa06-d6bc19d316ae () gmail ! com
[Download RAW message or body]

Hi,

Not sure if I am missing something, but I keep running into connections being \
rejected that should be accepted from how I (think I :)) have defined the rules. I \
somehow get the feeling that the behavior below is related to nft rules only \
containing "new, untracked" but not related and established.

Googled if there is a way to add these two states to rules, but did not find \
anything. A direct rule might help, but since these are discouraged for \
futureproofness, trying to figure out the "right" way.


Working on a Debian 11 system, nftables backend.


Example 1, syncthing:
zone file knet.xml, amongst others:

   <service name="syncthing"/>
   <source-port port="22000" protocol="tcp"/>
   <source-port port="22000" protocol="udp"/>
   <rule family="ipv4">
     <source address="192.168.1.1/24"/>
     <port port="22000" protocol="tcp"/>
     <accept/>
   </rule>
   <rule family="ipv4">
     <source address="192.168.1.1/24"/>
     <port port="22000" protocol="udp"/>
     <accept/>
   </rule>


Nicely translated into the nft ruleset (amongst others):

ip saddr 192.168.1.0/24 tcp dport 22000 ct state { new, untracked } accept
ip saddr 192.168.1.0/24 udp dport 22000 ct state { new, untracked } accept


However, I still get these errors in syslog:

filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<ANOM> SRC=192.168.1.54 DST=192.168.1.1 \
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33526 DF PROTO=TCP SPT=22000 DPT=22000 \
WINDOW=65535 RES=0x00 SYN




Example 2, Apache as an https proxy:
  <rule family="ipv4">
     <source address="192.168.1.13"/>
     <source-port port="443" protocol="tcp"/>
     <accept/>
   </rule>


  ip saddr 192.168.1.13 tcp sport 443 ct state { new, untracked } accept


"filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<ANOM> SRC=192.168.1.13 DST=192.168.1.1 \
LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=443 DPT=34860 WINDOW=0 \
RES=0x00 RST URGP=0


What's going on here?


Thanks a lot for your help and best regards
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
 Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic