Andy Kurth created VCL-1102:
-------------------------------
Summary: rules and chains are not being removed with older
versions of firewalld
Key: VCL-1102
URL: https://issues.apache.org/jira/browse/VCL-1102
Project: VCL
Issue Type: Bug
Components: vcld (backend)
Affects Versions: 2.5
Reporter: Andy Kurth
I had a CentOS 7.0 reservation and noticed someone pecking from a Chinese IP:
{panel}
{{Jun 26 13:32:39 centos7 sshd[5413]: Failed password for invalid user root
from *[CHINESE IP]* port 44276 ssh2}}
{panel}
This shouldn't be possible if the firewall is configured correctly. VCL
limits access to the reservation user's IP address once they connect.
The problem was that the *_vcl-reserved_* chain was still present after I
logged in and the request state was _inuse_. This chain should have been
deleted. This is a security problem because the vcl-reserved chain is what is
used to temporarily open access from any remote IP address.
Once a user connection is detected, the code adds another _*vcl-post_load*_
with IP restricted rules and deletes the _*vcl-reserved*_ chain. Based on the
vcld.log output, the VCL code appears to have done this:
{panel}
{{firewalld.pm:remove_direct_chain_rules|369|{color:#14892c}*removed direct
rule*{color} from 'vcl-reserved' chain in}}
{{'filter' table on vclv99-68: '0 --jump ACCEPT --protocol tcp --match comment
--comment 'VCL: allow traffic from any IP address to connect meth}}
{{od ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35)'
--match tcp --dport 22'}}{panel}
{panel}
{{{color:#333333}firewalld.pm:delete_chain|440|{color:#14892c}*deleted
'vcl-reserved' chain*{color}{color} in 'filter' table on <VM>}}
{panel}
The previous commands use the *_--permanent_* argument, so afterwards the code
runs *firewall-cmd --reload* to enact the saved, permanent the configuration:
{panel}
{{firewalld.pm:save_configuration|261|reloaded firewalld configuration on
vclv99-101}}
{panel}
As an added check, the code makes sure no lines got left in direct.xml:
{panel}
{{no lines were pruned from /etc/firewalld/direct.xml matching pattern:
'filter.*jump\s+vcl-reserved'}}{panel}
So, it looks like the code is doing things correctly. I then tried to manually
ran the commands as root:
*iptables -nL*
{panel}
{{Chain vcl-reserved (1 references)}}
{{ target prot opt source destination}}
{{ ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 /* VCL: allow traffic from any IP address
to connect method ports during reserved stage of reservation 3527645
(2018-06-26 15:03:35) */ tcp dpt:22}}{panel}
*firewall-cmd --permanent --direct --remove-rule ipv4 filter vcl-reserved 0
--jump ACCEPT --protocol tcp --match comment --comment 'VCL: allow traffic from
any IP address to connect method ports during reserved stage of reservation
3527645 (2018-06-26 15:03:35)' --match tcp --dport 22*
**
{panel}
{color:#14892c}*{{success}}*{color}{panel}
*firewall-cmd --reload*
{panel}
firewall-cmd --complete-reload
success{panel}
Still there:
*iptables -nL*
{panel}
{{Chain vcl-reserved (1 references)}}
{{target prot opt source destination}}
{{ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 /* VCL: allow traffic from any IP address to
connect method ports during reserved stage of reservation 3527645 (2018-06-26
15:03:35) */ tcp dpt:22}}{panel}
Try --complete-reload:
*firewall-cmd --complete-reload*
**
{panel}
{color:#14892c}{{success}}{color}{panel}
Still there:
*iptables -nL*
{panel}
{{Chain vcl-reserved (1 references)}}
{{target prot opt source destination}}
{{ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 /* VCL: allow traffic from any IP address to
connect method ports during reserved stage of reservation 3527645 (2018-06-26
15:03:35) */ tcp dpt:22}}{panel}
Restart service:
*systemctl restart firewalld*
*iptables -nL*
vcl-reserved rule is gone.
This was an old 7.0 version of CentOS. I tried a revision of the same image
that had been updated to CentOS 7.3 and it behaved differently, not exhibiting
this problem. The vcl-reserved chain had been removed during the vcld steps.
So, it seems as though *firewall-cmd --reload* isn't sufficient for some older
versions of firewalld. The code needs to be extended with additional checks.
If the chain still exists after attempts to delete it seemed to be successful,
the firewalld service should be restarted.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
