[UFO Chicago] Firewalld breaks broadcast pings with STATE_INVALID_DROP

[Jay F. Shachter]

Esteemed Colleagues:

As you may perhaps already know, firewalld runs by default on Fedora
and on RHEL and its clones; it has recently become available on Ubuntu
also.

On my Fedora system (and presumably the same thing would happen on
RHEL and its clones, or indeed on any system that uses firewalld)
firewalld is allowing an outgoing broadcast ping to receive responses
only from the machine that originated it. There is clearly nothing
wrong with the sysctl settings on any of the machines on the network,
because when I stop firewalld broadcast pings work correctly, and when
I restart firewalld broadcast pings stop working. Unicast pings are
fine.

After turning on firewalld logging with "firewall-cmd
--set-log-denied=all", and then sending out a broadcast ping, I saw
the following line in /var/log/messages:

   May 10 23:47:33 m5 kernel: STATE_INVALID_DROP: IN=enp0s31f6 OUT= MAC=d4:81:d7:db:f4:96:f0:1f:af:15:ea:09:08:00 SRC=192.168.2.4 DST=192.168.2.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=14231 PROTO=ICMP TYPE=0 CODE=0 ID=23 SEQ=1

Apparently, the incoming echo reply from 192.168.2.4 is considered to
be unrelated to the earlier echo request to 192.168.2.255 and is
therefore dropped.

Please forgive me for troubling you, but I have read the fabulous
manual, and I cannot figure out from it how to get outgoing broadcast
pings to work correctly on a machine that uses firewalld (other than
by stopping firewalld). How do I do it?  As always, thank you in
advance for any and all replies.


                        Jay F. Shachter
                        6424 North Whipple Street
                        Chicago IL  60645-4111
                                +1 773 7613784   landline
                                +1 410 9964737   GoogleVoice
                                jay at m5.chicago.il.us
                                http://m5.chicago.il.us

                        "Quidquid latine dictum sit, altum videtur"