Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewalld breaks networking on Fedora34 if port ranges overlap #269

Open
c1728p9 opened this issue Sep 24, 2021 · 1 comment
Open

firewalld breaks networking on Fedora34 if port ranges overlap #269

c1728p9 opened this issue Sep 24, 2021 · 1 comment
Labels
bug This issue/PR relates to a bug. verified This issue has been verified/reproduced by maintainer waiting_on_contributor Needs help. Feel free to engage to get things unblocked

Comments

@c1728p9
Copy link

c1728p9 commented Sep 24, 2021

SUMMARY

Using ansible.posix.firewalld to open ports bypasses some of the checks that are done by firewall-cmd and can lead to configurations which bring break networking (rather than aborting early).

ISSUE TYPE
  • Bug Report
COMPONENT NAME

ansible.posix.firewalld

ANSIBLE VERSION
ansible 2.9.25
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/russ/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.2 (default, Feb 20 2021, 00:00:00) [GCC 11.0.0 20210210 (Red Hat 11.0.0-0)]
COLLECTION VERSION

v1.3.0

CONFIGURATION

None

OS / ENVIRONMENT

Fedora 34 (Workstation Edition)

STEPS TO REPRODUCE
ping google.com -c 1 # Verify network works
ansible-playbook test-playbook.yml --ask-become-pass
ping google.com -c 1 # Networking no longer works

test-playbook.yml

---
- name: Test Playbook
  hosts: localhost
  become: true
  tasks:
    - name: Permit traffic
      ansible.posix.firewalld:
        port: "1000-1010/tcp"
        permanent: true
        state: enabled
    - name: Permit overlapping traffic
      ansible.posix.firewalld:
        port: "1002-1003/tcp"
        permanent: true
        state: enabled
    - name: Reload FirewallD
      systemd:
        name: firewalld
        state: reloaded
EXPECTED RESULTS

Expected output is to abort before adding the overlapping ports. Network expected to be working.

$ ping google.com -c 1
PING google.com (142.251.32.174) 56(84) bytes of data.
64 bytes from dfw28s30-in-f14.1e100.net (142.251.32.174): icmp_seq=1 ttl=115 time=24.1 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.114/24.114/24.114/0.000 ms

$ ansible-playbook test-playbook.yml --ask-become-pass
BECOME password:
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Test Playbook] **********************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Permit traffic] *********************************************************************************************************************************************************************************************************************************************************
changed: [localhost]

TASK [Permit overlapping traffic] *********************************************************************************************************************************************************************************************************************************************
failed: [localhost]

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=4    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

$ ping google.com -c 1
64 bytes from dfw28s30-in-f14.1e100.net (142.251.32.174): icmp_seq=1 ttl=115 time=24.1 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.114/24.114/24.114/0.000 ms

Example trying to add conflicting ports with firewall-cmd:

$ sudo firewall-cmd --permanent --add-port=1000-1010/tcp
success
$ sudo firewall-cmd --permanent --add-port=1002-1003/tcp
Warning: ALREADY_ENABLED: 1002-1003:tcp
success

Expected contents of /etc/firewalld/zones/FedoraWorkstation.xml (output from running above firewall-cmd commands). Note that port range 1000-1010/tcp is added, but 1002-1003/tcp is not.

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <service name="mdns"/>
  <port port="1025-65535" protocol="udp"/>
  <port port="1025-65535" protocol="tcp"/>
  <port port="1000-1010" protocol="tcp"/>
</zone>
ACTUAL RESULTS

Overlapping ports are added to the firewall zone. This causes networking to stop working:

$ ping google.com -c 1
PING google.com (142.251.32.174) 56(84) bytes of data.
64 bytes from dfw28s30-in-f14.1e100.net (142.251.32.174): icmp_seq=1 ttl=115 time=24.1 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.114/24.114/24.114/0.000 ms

$ ansible-playbook test-playbook.yml --ask-become-pass
BECOME password:
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Test Playbook] **********************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Permit traffic] *********************************************************************************************************************************************************************************************************************************************************
changed: [localhost]

TASK [Permit overlapping traffic] *********************************************************************************************************************************************************************************************************************************************
changed: [localhost]

TASK [Reload FirewallD] *******************************************************************************************************************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

$ ping google.com -c 1
PING google.com (142.251.32.174) 56(84) bytes of data.

--- google.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Actual contents of /etc/firewalld/zones/FedoraWorkstation.xml. Note that both port range 1000-1010/tcp and 1002-1003/tcp are added.

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <service name="mdns"/>
  <port port="1025-65535" protocol="udp"/>
  <port port="1025-65535" protocol="tcp"/>
  <port port="1000-1010" protocol="tcp"/>
  <port port="1002-1003" protocol="tcp"/>
</zone>
@c1728p9 c1728p9 mentioned this issue Sep 30, 2021
Merged
@saito-hideki
Copy link
Collaborator

Hi, thank you for reporting this issue.
The behavior of the firewalld module is the same for both RHEL8 and Fedora34 (overlapping ports will be set), but it seems that the behavior of firewalld-cmd has changed in Fedora34.
I think we need to implement better parameter handling, like firewall-cmd in Fedora34.

@saito-hideki saito-hideki added bug This issue/PR relates to a bug. verified This issue has been verified/reproduced by maintainer waiting_on_contributor Needs help. Feel free to engage to get things unblocked labels Oct 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug. verified This issue has been verified/reproduced by maintainer waiting_on_contributor Needs help. Feel free to engage to get things unblocked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c1728p9 @saito-hideki