Nft firewalld help

I need a clue about how ntf/firewalld works on Fedora 32. I’m given this iptables rule that works and prevents my client app from using UDP:

-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 4500 -j REJECT --reject-with icmp-port-unreachable

I attempted to translate this into an outbound rich-rule with:

firewall-cmd --add-rich-rule='rule family=ipv4 destination address=xxx.xxx.xxx.xxx/32 port port=4500 protocol=udp reject'

# firewall-cmd --list-rich-rules
rule family="ipv4" destination address="xxx.xxx.xxx.xxx/32" port port="4500" protocol="udp" reject

The nft view of this is it put the rule in this table/chain:

# nft --handle list chain inet firewalld filter_IN_public_deny
table inet firewalld {
        chain filter_IN_public_deny { # handle 187           
                ip daddr xxx.xxx.xxx.xxx udp dport 4500 ct state { new, untracked } reject # handle 430
        }

tcpdump shows at all the traffic to server xxx.xxx.xxx.xxx is via UDP. I added a counter to the rull and it stays all zeros. Bunch of questions?

Why does this not work?
Is it a problem that it put the rule in this table/chain?
Why did firewall-cmd put it there?

BTW, if i put the above iptables rule in on the same system using the iptables cmd the traffic goes to TCP, it’s just that I need to move on from iptables and don’t know a lot about it. I need this rule to work in order to move on, chicken/egg.

Thank you for suggestions.

In your iptables rule, there was no conntrack.  There, in nft, it is:

But IDK.

I think that the issue here is that the rule should go in the OUTPUT chain (your rule is placed in the filter_IN_public_deny :thinking:).

I’m not an expert: nftables is completely new to me. (Not that I am an expert of iptables :sweat_smile:)

Reading some docs, it seems that Direct configuration should be used only as a last resort when it’s not possible to use firewalld.zone(5)

Btw, using a rule like this, could work.

sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.1/32 -p udp -m udp --dport 4500 -j REJECT --reject-with icmp-port-unreachable

But… :thinking: we need someone with expertise, because such rule is only visible with sudo iptables -L -n, and not in the nftables.
So, are we in a transition phase where iptables and nftables are both in use?

1 Like

I don’t know where “untracked” came from. The default since I did not include the arg “counter,” I assumed.

This is at the heart of my question. The rule neglects to declare an “OUTPUT” table, it is filtering on input (I guess, IDK for sure). I’ll try it the other way and with a counter. Then I’ll delete my iptables rule.

Yes, iptables is running also. I didn’t start it, this is a fresh Fedora 32 install. It came that way, but rules are not persistent by default.

1 Like

Hi Ray,

I think these links will help clear up what’s supposed to work and how:
https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables
https://fedoraproject.org/wiki/Changes/iptables-nft-default

2 Likes

Thank you. I’ll give them a read shortly. I really need to gain perspective,

This transition from iptables is confusing. So, nft is underneath firewalld. I’m curious what the firewalld layer provides? It’s confusing because it seems writing rules for one is not the same as writing for the other. The syntax is not the same, so I have to learn two packages to get a fw running?

What do you think about this, don’t run both:
“It gets quite confusing to run firewalld and nftables (formerly, iptables) in parallel, though I believe some people do so.”

I stumbled into this iptables-translate on the nft wiki.
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
which generates:

iptables-translate -A OUTPUT -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 4500 -j REJECT --reject-with icmp-port-unreachable

nft add rule ip filter OUTPUT ip daddr xxx.xxx.xxx.xxx udp dport 4500 counter reject

So, I really did get off track by trying to construct my own firewalld with firewall-cmd and doing that incorrectly, forgetting OUTPUT.

After I added this rule to the correct table/filter (and stopping the iptables rules) the counters on nft rule started to increment.

So, I really think the important thing now is for me to grok what’s firewalld provides to this picture. Maybe your suggested reading will turn on a light. Thanks you.

I have my nft rules added and they function well. However, they do not persist over a reboot. I thought this would handle that:

# firewall-cmd --runtime-to-permanent
success

Success here would be if I rebooted and the nft added rules were active, not the case.

So, if I add rules and firewalld is aware of them, how do you make them persist across reboot? Perhaps this is a hapless venture and I have to either dump firewalld or learn to write my rules in firewall-cmd syntax.

This seems to have let the nft rules persist:

# systemctl enable nftables
# nft list ruleset > /etc/sysconfig/nftables.conf

Which is not the same thing as firewalld keeping nft rules alive. I couldn’t find the answer to that riddle…so what’s the gain of firewalld again?

   Probably the “dbus integration”.  Aren’t you need to also disable the firewalld in this case?

By using firewall-cmd?

If you’d stop using firewalld, do not forget to place a flush ruleset at the top of .conf (in case you’ll restart nftables service).

Thank you for all your comments. I don’t understand half of them, dbus integration, flush ruleset and others. I really have a ton of reading to do to get off the ground, but that’s really the problem. You have to set up a firewall in order to use a system and you have to have system to use to do the reading. Chicken/egg. I got off track and have something working, but it’s probably not “right.” Now that I have something working and I go back try to understand and clean up the mess I made.

Your comments have been helpful, very helpful as I didn’t really know these were questions at all.

“Flush ruleset” is fairly simple. When you are starting nftables, if any rules are in place from a prior session, it removes them. Thus, when the new rules are loaded, they are not stacked on top of the old rules; the mix could cause unintended consequences.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.