I'm kinda new to firewalld and can miss something but still looks like a bug for me.<br />
I was trying to achieve DROP action instead of REJECT on all unneeded traffic.<br />
This seems to be available only if you select "drop" zone as active for an interface. But DROP action is applied to ICMP messages too. I was trying to enable icmp proto with rich rules:<br />
"firewall-cmd --zone=drop --add-rich-rule='rule protocol value="icmp" accept'"<br />
and got message:<br />
"Error: COMMAND_FAILED: '/sbin/iptables -t filter -A DROP_allow -p icmp -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name."<br />
Adding the same rule for --zone=public works fine (this zone is still the default system zone):<br />
"firewall-cmd --zone=public --add-rich-rule='rule protocol value="icmp" accept'"<br />
<br />
Looks like firewalld wrapper changes chain name to wrong value, correct one seems for me as "IN_drop_allow":<br />
"/sbin/iptables -t filter -A IN_drop_allow -p icmp -m conntrack --ctstate NEW -j ACCEPT"<br />
Running the above line works as intended but as stated in manual we should not mix plain iptables rules and firewalld. Also rich rules seem to be the only permanent settings sollution for custom rules with firewalld.
↧
