You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "Andy Kurth (JIRA)" <ji...@apache.org> on 2018/06/26 19:31:00 UTC

[jira] [Created] (VCL-1102) rules and chains are not being removed with older versions of firewalld

Andy Kurth created VCL-1102:
-------------------------------

             Summary: rules and chains are not being removed with older versions of firewalld
                 Key: VCL-1102
                 URL: https://issues.apache.org/jira/browse/VCL-1102
             Project: VCL
          Issue Type: Bug
          Components: vcld (backend)
    Affects Versions: 2.5
            Reporter: Andy Kurth


I had a CentOS 7.0 reservation and noticed someone pecking from a Chinese IP:
{panel}
{{Jun 26 13:32:39 centos7 sshd[5413]: Failed password for invalid user root from *[CHINESE IP]* port 44276 ssh2}}
{panel}
 This shouldn't be possible if the firewall is configured correctly.  VCL limits access to the reservation user's IP address once they connect.

The problem was that the *_vcl-reserved_* chain was still present after I logged in and the request state was _inuse_.  This chain should have been deleted.  This is a security problem because the vcl-reserved chain is what is used to temporarily open access from any remote IP address.

Once a user connection is detected, the code adds another _*vcl-post_load*_ with IP restricted rules and deletes the _*vcl-reserved*_ chain.  Based on the vcld.log output, the VCL code appears to have done this:
{panel}
{{firewalld.pm:remove_direct_chain_rules|369|{color:#14892c}*removed direct rule*{color} from 'vcl-reserved' chain in}}
{{'filter' table on vclv99-68: '0 --jump ACCEPT --protocol tcp --match comment --comment 'VCL: allow traffic from any IP address to connect meth}}
{{od ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35)' --match tcp --dport 22'}}{panel}
{panel}
{{{color:#333333}firewalld.pm:delete_chain|440|{color:#14892c}*deleted 'vcl-reserved' chain*{color}{color} in 'filter' table on <VM>}}
{panel}
The previous commands use the *_--permanent_* argument, so afterwards the code runs *firewall-cmd --reload* to enact the saved, permanent the configuration:
{panel}
{{firewalld.pm:save_configuration|261|reloaded firewalld configuration on vclv99-101}}
{panel}
As an added check, the code makes sure no lines got left in direct.xml: 
{panel}
{{no lines were pruned from /etc/firewalld/direct.xml matching pattern: 'filter.*jump\s+vcl-reserved'}}{panel}
 

So, it looks like the code is doing things correctly.  I then tried to manually ran the commands as root:

*iptables -nL*
{panel}
{{Chain vcl-reserved (1 references)}}
{{ target prot opt source destination}}
{{ ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 /* VCL: allow traffic from any IP address to connect method ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35) */ tcp dpt:22}}{panel}
 

*firewall-cmd --permanent --direct --remove-rule ipv4 filter vcl-reserved 0 --jump ACCEPT --protocol tcp --match comment --comment 'VCL: allow traffic from any IP address to connect method ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35)' --match tcp --dport 22*
**
{panel}
{color:#14892c}*{{success}}*{color}{panel}
*firewall-cmd --reload*
{panel}
firewall-cmd --complete-reload
success{panel}
Still there:

*iptables -nL*
{panel}
{{Chain vcl-reserved (1 references)}}
{{target prot opt source destination}}
{{ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 /* VCL: allow traffic from any IP address to connect method ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35) */ tcp dpt:22}}{panel}
Try --complete-reload:

*firewall-cmd --complete-reload*
**
{panel}
{color:#14892c}{{success}}{color}{panel}
Still there:

*iptables -nL*
{panel}
{{Chain vcl-reserved (1 references)}}
{{target prot opt source destination}}
{{ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 /* VCL: allow traffic from any IP address to connect method ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35) */ tcp dpt:22}}{panel}
Restart service: 

*systemctl restart firewalld*

*iptables -nL*

vcl-reserved rule is gone.

 

This was an old 7.0 version of CentOS.  I tried a revision of the same image that had been updated to CentOS 7.3 and it behaved differently, not exhibiting this problem.  The vcl-reserved chain had been removed during the vcld steps.

So, it seems as though *firewall-cmd --reload* isn't sufficient for some older versions of firewalld.  The code needs to be extended with additional checks.  If the chain still exists after attempts to delete it seemed to be successful, the firewalld service should be restarted.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)