Affects Version/s: 2.5
Fix Version/s: None
Component/s: vcld (backend)
I had a CentOS 7.0 reservation and noticed someone pecking from a Chinese IP:
This shouldn't be possible if the firewall is configured correctly. VCL limits access to the reservation user's IP address once they connect.
The problem was that the vcl-reserved chain was still present after I logged in and the request state was inuse. This chain should have been deleted. This is a security problem because the vcl-reserved chain is what is used to temporarily open access from any remote IP address.
Once a user connection is detected, the code adds another vcl-post_load with IP restricted rules and deletes the vcl-reserved chain. Based on the vcld.log output, the VCL code appears to have done this:
The previous commands use the --permanent argument, so afterwards the code runs firewall-cmd --reload to enact the saved, permanent the configuration:
As an added check, the code makes sure no lines got left in direct.xml:
So, it looks like the code is doing things correctly. I then tried to manually ran the commands as root:
firewall-cmd --permanent --direct --remove-rule ipv4 filter vcl-reserved 0 --jump ACCEPT --protocol tcp --match comment --comment 'VCL: allow traffic from any IP address to connect method ports during reserved stage of reservation 3527645 (2018-06-26 15:03:35)' --match tcp --dport 22
systemctl restart firewalld
vcl-reserved rule is gone.
This was an old 7.0 version of CentOS. I tried a revision of the same image that had been updated to CentOS 7.3 and it behaved differently, not exhibiting this problem. The vcl-reserved chain had been removed during the vcld steps.
So, it seems as though firewall-cmd --reload isn't sufficient for some older versions of firewalld. The code needs to be extended with additional checks. If the chain still exists after attempts to delete it seemed to be successful, the firewalld service should be restarted.