I enabled the public zone and the dns service (udp/tcp port 53). Firewalld service is running and nftables service is not. The connection tracking table gets full on busy servers, and drops packets. In prior Linux (RHEL7) I set iptables rules via firewalld direct configuration file. The same rules are not working now. I set dns to listen on a 2nd port (5353), and tried 2 nft commands:
# nft insert rule inet firewalld mangle_PREROUTING udp dport 5353 notrack meta mark set 53
# nft insert rule inet firewalld filter_IN_public_allow mark 5353 accept
All the rules are automatically created by default firewalld config, based on the specified zone and services, except the 2 rules added with nft, above.
The mark is passed through the chains, as the port is allowed based on the packet mark, but the conntrack output shows "mark=0", even though I don't think the packets should even be in the conntrack table.
This does allow the dns client to get a response, but the dns connections are still tracked (included in /proc/net/nfconntrack).
Spent hours searching online with many hits, but none of them work. It's like the connections are always added to the conntrack table, no matter what. Hopefully someone has used a similar config, or can provide how to set specific packets to successfully notrack in a similar environment (detailed below).
# uname -a
Linux qip1250re-2 5.14.0-284.30.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 16 09:55:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/rocky-release
Rocky Linux release 9.2 (Blue Onyx)
# rpm -qa|grep firewalld
firewalld-filesystem-1.2.1-1.el9.noarch
firewalld-1.2.1-1.el9.noarch
# rpm -qa|grep nftables
nftables-1.0.4-10.el9_1.x86_64
python3-nftables-1.0.4-10.el9_1.x86_64
# cat /proc/net/nf_conntrack
ipv4 2 udp 17 28 src=192.168.1.2 dst=192.168.1.1 sport=43160 dport=5353 src=192.168.1.1 dst=135.114.104.251 sport=5353 dport=43160 mark=0 zone=0 use=2
# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="DNS"/>
<forward/>
</zone>
# cat /etc/firewalld/services/dns.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>DNS</short>
<description>The Domain Name System (DNS) is used to provide and request host and domain names. Enable this option, if you plan to provide a domain name service (e.g. with bind).</description>
<port protocol="tcp" port="53"/>
<port protocol="udp" port="53"/>
</service>
# nft list ruleset
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
udp dport 5353 notrack meta mark set 0x00000035
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "eth0" goto mangle_PRE_public
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "eth0" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "eth0" goto nat_POST_public
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_OUTPUT {
type nat hook output priority -90; policy accept;
jump nat_OUTPUT_POLICIES_pre
jump nat_OUTPUT_POLICIES_post
}
chain nat_OUTPUT_POLICIES_pre {
}
chain nat_OUTPUT_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing log prefix "rpfilter_DROP: " drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
iifname "lo" accept
jump filter_INPUT_ZONES
log prefix "FINAL_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
log prefix "FINAL_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "eth0" goto filter_IN_public
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "eth0" goto filter_FWD_public
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
log prefix "filter_IN_public_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
meta mark 0x00000035 accept
tcp dport 22 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
tcp dport 53 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
log prefix "filter_FWD_public_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
oifname "eth0" accept
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
}
#
TIA,
Blaine
