Firewalld: blocking outgoing connections blocks also incomming connections

firewalldrhel7

log4shell has caused us to improve the security of some servers. We want now also block outgoing traffic (as possible). The current firewall rules are:

/> firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client https smtp ssh
  ports: 143/tcp 3000/tcp 4949/tcp 8080/tcp 12999/tcp 25/tcp 1194/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

So at example connections to the server via ssh are currently possible (and should be still possible in the future). Now we want to prevent all outgoing connections except connections through https (443). To do that we have add some firewalld rules (see also https://serverfault.com/a/624474/145652):

/> firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j ACCEPT
success
/> firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
success
/> firewall-cmd --reload

But after these commands, we will lose all connections to server: no ping, no ssh, the server don't accepts any connection. Possible that firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP is blocking all outgoing traffic, including the servers answer of incoming (ssh-) requests? Is there a rule missing to allow sending the answer data of incoming requests?

Best Answer

I'm just spinning up an instance to test, but I suspect it's because you're not allowing related/established outbound rules as well, so the kernel is killing your existing connections.

Update: I'm sure this is the problem. I just tested it by booting Centos 7 on an EC2 instance, installing FirewallD, and then pasting in your first rule without the permanent flag. All working okay.

As soon as I pasted in the DROP rule, I got disconnected.

In the link you provided, the first rule they add is an ESTABLISHED,RELATED rule. This means that connections that are allowed in are allowed out (so the firewall is stateful). Without that rule, you have no stateful rules and your SSH connection can't establish.

So your actual list of rules needs to be:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

Note I've included HTTP, HTTPS, and DNS as well - else connections won't establish to DNS names because the server won't be able to resolve them...

Related Topic