FDS appears to caused a firewall issue, had to restore from backup due to time constraints.
erouting opened this issue · 7 comments
erouting commented
First off, I really like the program. I'm bad at firewall management and this makes it very easy in concept.
That said, I ran into an issue this AM when I tried to block a subnet on a production server running centOS 8. I installed FDS yesterday so I'm assuming I was using the current version What I think happened (can't review logs because I had to restore the server from backup) is I forgot to add a subnet mask to a subnet. I then got a bunch of json looking stuff puked to screen. I then added the correct subnet mask and re-ran the command, same json stuff, reran the command again and it indicated it worked. Went through the list of subnets I needed to block and got the same json junk the first time and the normal output the second time. Then noticed the server wasn't accepting any incoming connections anymore. Checked the status of firewalld and it had a bunch of red warnings with the JSON looking content FDS had apparently tried to add as firewall rules. Since I don't know where those rules actually are to remove them manually I tried uninstalling firewalld. Still had no incoming connections and couldn't hit any of my services. Firewall seems to have been blocking everything and I couldn't figure out where those rules were to fix them. Was running out of time on my maintenance window so restored from backup to a point before I had installed FDS, which fixed the connection issue. This was on a Linode VPS I was SSHed into from across the country so I know there wasn't any hardware problem that might have overlapped with the weird stuff FDS did to the firewall rules as I never lost my SSH session. I also tried to unblock everything in FDS by going through my CLI log, that didn't work either. Sorry I don't have logs to send you, but I didn't do anything very odd so I imagine this will come up again if you can't replicate.
Really like the program in concept, hope to be able to use it in future. Wanted to let you know about the issue I ran into and to say thanks for your efforts to make firewall management easier.
dvershinin commented
fds only uses the built-in FirewallD drop zone for blocking. Plus the native kernel's/FirewallD IP set feature, by storing blocked entires to its own networkblock4 and networkblock6 sets. No json stuff involved... other than for storing the list of known countries.
Could be the initial malformed input somehow causing issues. Any pointer/example of input provided to fds block?
erouting commented
I have some time, let me spin up a test VPS and see if I can recreate the issue on a not production server so I can grab logs and output. The input wasn't anything special, though it was malformed (forget a subnet mask) something like "fds block 212.192.241.0". The server also has fail2ban and a couple other things installed on it, none of which should conflict but I'll add those in too if I can't replicate it with a clean build.
I don't know that the output was json, just looked similar. A bunch of words inside curly braces flooded the screen every other command, wish I'd taken a screen shot, but my priority was getting the system back up.
erouting commented
Got it, it's because I added a /24, not because I omitted it. Here's the full text off a new centos 8 server, from first login, new inbound and outbound connections no longer work too so that does replicate the issue.
login as: root
root@23.239.2.221's password:
[root@li683-221 ~]# yum -y install https://extras.getpagespeed.com/release-latest.rpm
CentOS Linux 8 - AppStream 75 MB/s | 8.3 MB 00:00
CentOS Linux 8 - BaseOS 44 MB/s | 4.5 MB 00:00
CentOS Linux 8 - Extras 144 kB/s | 9.8 kB 00:00
Last metadata expiration check: 0:00:01 ago on Mon 02 Aug 2021 06:21:40 PM UTC.
release-latest.rpm 176 kB/s | 16 kB 00:00
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
getpagespeed-extras-release noarch 1:11-23.dnf @commandline 16 k
Installing weak dependencies:
epel-release noarch 8-11.el8 extras 24 k
Transaction Summary
================================================================================
Install 2 Packages
Total size: 40 k
Total download size: 24 k
Installed size: 41 k
Downloading Packages:
epel-release-8-11.el8.noarch.rpm 857 kB/s | 24 kB 00:00
--------------------------------------------------------------------------------
Total 791 kB/s | 24 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-11.el8.noarch 1/2
Installing : getpagespeed-extras-release-1:11-23.dnf.noarch 2/2
Running scriptlet: getpagespeed-extras-release-1:11-23.dnf.noarch 2/2
----------------------------------------------------------------------
The GetPageSpeed repository has been installed.
To enable package installs, subscribe using the following link:
https://www.getpagespeed.com/repo-subscribe?server_ip=23.239.2.221
----------------------------------------------------------------------
Verifying : epel-release-8-11.el8.noarch 1/2
Verifying : getpagespeed-extras-release-1:11-23.dnf.noarch 2/2
Installed:
epel-release-8-11.el8.noarch getpagespeed-extras-release-1:11-23.dnf.noarch
Complete!
[root@li683-221 ~]# yum -y install fds
Extra Packages for Enterprise Linux Modular 8 - 820 kB/s | 927 kB 00:01
Extra Packages for Enterprise Linux 8 - x86_64 5.4 MB/s | 10 MB 00:01
GetPageSpeed packages for Enterprise Linux 8 - 14 MB/s | 1.7 MB 00:00
GetPageSpeed packages for Enterprise Linux 8 - 3.2 MB/s | 335 kB 00:00
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fds noarch 0.0.22-1.el8 getpagespeed-extras-noarch 14 k
Installing dependencies:
conntrack-tools x86_64 1.4.4-10.el8 baseos 204 k
libnetfilter_cthelper x86_64 1.0.0-15.el8 baseos 24 k
libnetfilter_cttimeout x86_64 1.0.0-11.el8 baseos 24 k
libnetfilter_queue x86_64 1.0.4-3.el8 baseos 31 k
python3-CacheControl noarch 0.12.6-2.el8 getpagespeed-extras-noarch 41 k
python3-cloudflare noarch 2.7.1-1.el8 epel 64 k
python3-fds noarch 0.0.22-1.el8 getpagespeed-extras-noarch 151 k
python3-future noarch 0.18.2-2.el8 epel 790 k
python3-lockfile noarch 1:0.11.0-13.el8.1
epel 38 k
python3-msgpack x86_64 0.6.2-1.el8 epel 92 k
python3-netaddr noarch 0.7.19-8.el8 appstream 1.5 M
python3-pip noarch 9.0.3-19.el8 appstream 20 k
python3-psutil x86_64 5.4.3-10.el8 appstream 373 k
python3-setuptools noarch 39.2.0-6.el8 baseos 163 k
python3-tqdm noarch 4.50.2-1.el8 epel 126 k
python36 x86_64 3.6.8-2.module_el8.4.0+790+083e3d81
appstream 19 k
Enabling module streams:
python36 3.6
Transaction Summary
================================================================================
Install 17 Packages
Total download size: 3.7 M
Installed size: 17 M
Downloading Packages:
(1/17): python3-pip-9.0.3-19.el8.noarch.rpm 636 kB/s | 20 kB 00:00
(2/17): python36-3.6.8-2.module_el8.4.0+790+083 5.4 MB/s | 19 kB 00:00
(3/17): python3-psutil-5.4.3-10.el8.x86_64.rpm 8.6 MB/s | 373 kB 00:00
(4/17): libnetfilter_cthelper-1.0.0-15.el8.x86_ 9.0 MB/s | 24 kB 00:00
(5/17): conntrack-tools-1.4.4-10.el8.x86_64.rpm 16 MB/s | 204 kB 00:00
(6/17): libnetfilter_cttimeout-1.0.0-11.el8.x86 5.9 MB/s | 24 kB 00:00
(7/17): libnetfilter_queue-1.0.4-3.el8.x86_64.r 5.9 MB/s | 31 kB 00:00
(8/17): python3-setuptools-39.2.0-6.el8.noarch. 28 MB/s | 163 kB 00:00
(9/17): python3-netaddr-0.7.19-8.el8.noarch.rpm 23 MB/s | 1.5 MB 00:00
(10/17): python3-lockfile-0.11.0-13.el8.1.noarc 373 kB/s | 38 kB 00:00
(11/17): python3-cloudflare-2.7.1-1.el8.noarch. 528 kB/s | 64 kB 00:00
(12/17): python3-msgpack-0.6.2-1.el8.x86_64.rpm 4.0 MB/s | 92 kB 00:00
(13/17): fds-0.0.22-1.el8.noarch.rpm 858 kB/s | 14 kB 00:00
(14/17): python3-CacheControl-0.12.6-2.el8.noar 16 MB/s | 41 kB 00:00
(15/17): python3-future-0.18.2-2.el8.noarch.rpm 4.9 MB/s | 790 kB 00:00
(16/17): python3-fds-0.0.22-1.el8.noarch.rpm 36 MB/s | 151 kB 00:00
(17/17): python3-tqdm-4.50.2-1.el8.noarch.rpm 3.0 MB/s | 126 kB 00:00
--------------------------------------------------------------------------------
Total 10 MB/s | 3.7 MB 00:00
warning: /var/cache/dnf/epel-6519ee669354a484/packages/python3-cloudflare-2.7.1-1.el8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) <epel@fedoraproject.org>"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
warning: /var/cache/dnf/getpagespeed-extras-noarch-ee436b83b44be4f1/packages/fds-0.0.22-1.el8.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
GetPageSpeed packages for Enterprise Linux 8 - 1.7 MB/s | 1.7 kB 00:00
Importing GPG key 0x222B0E83:
Userid : "GetPageSpeed Builder <info@getpagespeed.com>"
Fingerprint: D1A3 7295 C6B0 5ED8 43DB D501 0CD6 0276 222B 0E83
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-setuptools-39.2.0-6.el8.noarch 1/17
Installing : python36-3.6.8-2.module_el8.4.0+790+083e3d81.x86_6 2/17
Running scriptlet: python36-3.6.8-2.module_el8.4.0+790+083e3d81.x86_6 2/17
Installing : python3-pip-9.0.3-19.el8.noarch 3/17
Installing : python3-future-0.18.2-2.el8.noarch 4/17
Installing : python3-cloudflare-2.7.1-1.el8.noarch 5/17
Installing : python3-tqdm-4.50.2-1.el8.noarch 6/17
Installing : python3-msgpack-0.6.2-1.el8.x86_64 7/17
Installing : python3-lockfile-1:0.11.0-13.el8.1.noarch 8/17
Installing : python3-CacheControl-0.12.6-2.el8.noarch 9/17
Installing : libnetfilter_queue-1.0.4-3.el8.x86_64 10/17
Running scriptlet: libnetfilter_queue-1.0.4-3.el8.x86_64 10/17
Installing : libnetfilter_cttimeout-1.0.0-11.el8.x86_64 11/17
Running scriptlet: libnetfilter_cttimeout-1.0.0-11.el8.x86_64 11/17
Installing : libnetfilter_cthelper-1.0.0-15.el8.x86_64 12/17
Running scriptlet: libnetfilter_cthelper-1.0.0-15.el8.x86_64 12/17
Installing : conntrack-tools-1.4.4-10.el8.x86_64 13/17
Running scriptlet: conntrack-tools-1.4.4-10.el8.x86_64 13/17
Installing : python3-psutil-5.4.3-10.el8.x86_64 14/17
Installing : python3-netaddr-0.7.19-8.el8.noarch 15/17
Installing : python3-fds-0.0.22-1.el8.noarch 16/17
Installing : fds-0.0.22-1.el8.noarch 17/17
Running scriptlet: fds-0.0.22-1.el8.noarch 17/17
Verifying : python3-netaddr-0.7.19-8.el8.noarch 1/17
Verifying : python3-pip-9.0.3-19.el8.noarch 2/17
Verifying : python3-psutil-5.4.3-10.el8.x86_64 3/17
Verifying : python36-3.6.8-2.module_el8.4.0+790+083e3d81.x86_6 4/17
Verifying : conntrack-tools-1.4.4-10.el8.x86_64 5/17
Verifying : libnetfilter_cthelper-1.0.0-15.el8.x86_64 6/17
Verifying : libnetfilter_cttimeout-1.0.0-11.el8.x86_64 7/17
Verifying : libnetfilter_queue-1.0.4-3.el8.x86_64 8/17
Verifying : python3-setuptools-39.2.0-6.el8.noarch 9/17
Verifying : python3-cloudflare-2.7.1-1.el8.noarch 10/17
Verifying : python3-future-0.18.2-2.el8.noarch 11/17
Verifying : python3-lockfile-1:0.11.0-13.el8.1.noarch 12/17
Verifying : python3-msgpack-0.6.2-1.el8.x86_64 13/17
Verifying : python3-tqdm-4.50.2-1.el8.noarch 14/17
Verifying : fds-0.0.22-1.el8.noarch 15/17
Verifying : python3-CacheControl-0.12.6-2.el8.noarch 16/17
Verifying : python3-fds-0.0.22-1.el8.noarch 17/17
Installed:
conntrack-tools-1.4.4-10.el8.x86_64
fds-0.0.22-1.el8.noarch
libnetfilter_cthelper-1.0.0-15.el8.x86_64
libnetfilter_cttimeout-1.0.0-11.el8.x86_64
libnetfilter_queue-1.0.4-3.el8.x86_64
python3-CacheControl-0.12.6-2.el8.noarch
python3-cloudflare-2.7.1-1.el8.noarch
python3-fds-0.0.22-1.el8.noarch
python3-future-0.18.2-2.el8.noarch
python3-lockfile-1:0.11.0-13.el8.1.noarch
python3-msgpack-0.6.2-1.el8.x86_64
python3-netaddr-0.7.19-8.el8.noarch
python3-pip-9.0.3-19.el8.noarch
python3-psutil-5.4.3-10.el8.x86_64
python3-setuptools-39.2.0-6.el8.noarch
python3-tqdm-4.50.2-1.el8.noarch
python36-3.6.8-2.module_el8.4.0+790+083e3d81.x86_64
Complete!
[root@li683-221 ~]# fds block 95.211.0.0
Adding IP address 95.211.0.0/32 to block set networkblock4
Reloading FirewallD to apply permanent configuration
Breaking connection with 95.211.0.0/32
Skipped block in Cloudflare as it was not set up. Run fds config?
[root@li683-221 ~]# fds block 95.211.16.0
Adding IP address 95.211.16.0/32 to block set networkblock4
Reloading FirewallD to apply permanent configuration
Breaking connection with 95.211.16.0/32
Skipped block in Cloudflare as it was not set up. Run fds config?
[root@li683-221 ~]# fds block 95.211.16.0
Adding IP address 95.211.16.0/32 to block set networkblock4
Skipped block in Cloudflare as it was not set up. Run fds config?
[root@li683-221 ~]# fds block 95.211.16.0
Adding IP address 95.211.16.0/32 to block set networkblock4
Skipped block in Cloudflare as it was not set up. Run fds config?
[root@li683-221 ~]#
[root@li683-221 ~]# fds block 95.211.16.0/24
Adding IP address 95.211.16.0/24 to block set networkblock4
Reloading FirewallD to apply permanent configuration
Traceback (most recent call last):
File "/usr/bin/fds", line 11, in <module>
load_entry_point('fds==0.0.22', 'console_scripts', 'fds')()
File "/usr/lib/python3.6/site-packages/fds/fds.py", line 197, in main
return action_block(args.value, args.ipset_name, reload=args.reload)
File "/usr/lib/python3.6/site-packages/fds/fds.py", line 55, in action_block
fw.block_ip(ip_or_country_name, ipset_name=ipset_name, reload=reload)
File "/usr/lib/python3.6/site-packages/fds/FirewallWrapper.py", line 24, in func_wrapper
raise e
File "/usr/lib/python3.6/site-packages/fds/FirewallWrapper.py", line 16, in func_wrapper
return func(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/fds/FirewallWrapper.py", line 178, in block_ip
self.fw.reload()
File "<decorator-gen-726>", line 2, in reload
File "/usr/lib/python3.6/site-packages/slip/dbus/polkit.py", line 121, in _enable_proxy
return func(*p, **k)
File "<decorator-gen-725>", line 2, in reload
File "/usr/lib/python3.6/site-packages/firewall/client.py", line 53, in handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/firewall/client.py", line 2856, in reload
self.fw.reload()
File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 70, in __call__
return self._proxy_method(*args, **keywords)
File "/usr/lib/python3.6/site-packages/slip/dbus/proxies.py", line 51, in __call__
return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)
File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException: org.fedoraproject.FirewallD1.Exception: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
internal:0:0-0: Error: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "raw_PRE_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "mangle_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWDO_public"}}]}}}]}
[root@li683-221 ~]#erouting commented
I'll leave the test server up for the next few days, let me know if you need anything else tested and, again, thank you for the work on this software, it's much easier to use than default options. I can probably resume using it now that I think I understand what I shouldn't have done.
dvershinin commented
Thank you. Quickly found the actual bug is with FirewallD.
It appears that it happens when you blocked a few IPs/networks and then later a network which "contains" one of prior entries. So it's about FirewallD/nftables choking on overlapping networks.
Either we wait on FirewallD to fix it or workaround by using the mentioned library for aggregating networks.
erouting commented
Wow. I apologize for wrongly accusing your software. Can't believe a bug that bad has been in official releases for that long without being fixed. I mean, I can, but a bug that breaks all network connectivity seems like something they'd have fixed. Especially because some servers have more than one admin so, human error aside, it's entirely possible for different admins to create overlapping rules.
I'll try the network aggregation library, since I don't trust myself not to mess up again. Thank you for looking into this and sorry again for thinking it was FDS just because that was the interface to firewalld I was using. Great software you've made and I'll look at firewalld's bug log if I run into anything else using it in the future.
dvershinin commented
Released fds v0.0.30 which uses aggregation automatically, as long as either python2-aggregate6 (CentOS 7) or python3-aggregate6 module packages are installed. This allows us to essentially overcome the FirewallD bug. Documentation added here.