firewalld --add-rich-rule and established connections

Latest response

Hello,

is it possible to add a rich rule, in firewalld and have it affect existing/established conenctions too?

for example, in firewalld, I temporarily only want to allow one connection, for maintenance:
I do:

firewall-cmd --zone=public --add-source=192.168.1.112
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.112" invert="True" drop'

I don't get any new connections anymore (except for 192.168.1.112), but existing ones still exist.

thanks,

Ron

Responses

That's the expected behaviour.

Existing connections already exist in connection tracking, so they match the earlier accept for RELATED,ESTABLISHED and don't make it down to the new firewall rule.

To make existing sessions re-enter the firewall, you'll need to flush the conntrack table like conntrack -F. That might just outright break existing sessions and require the sessions to start again.

Also be aware of the nf_conntrack_tcp_loose kernel tunable which controls the behaviour of what conntrack will detect as those pre-existing sessions:

that seems to indeed 'break' existing connections, the sessions still exis, but indeed there's no trafic going anymore.

that is actually interesting...

thanks

The TCP session will still exist to the kernel, because TCP hasn't proceeded from ESTABLISHED state to one of the close states (with a FIN) or straight to CLOSED state (with a Reset). So you can still see the sessions in ss -nt for example.

But the firewall isn't allowing in any traffic on the already-ESTABLISHED session. The sessions don't exist in conntrack after the flush, and loose stops apparently-existing sessions from being allowed in too.

Any traffic which arrives for those sessions, your rules above say to drop that traffic silently. So TCP can never proceed until the process closes the socket or ends, then the unsuccessful orphan close times out.