Problems with firewalld and Kickstart

Hello team,

I installed a server using Kickstart and setup firewalld with the following flags:

firewall --enabled --ssh --http

However after rebooting the machine for the first time I see there are errors when the firewall comes up:

Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE
Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 11 failed
Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed
Sep 11 16:51:32 X firewalld[36540]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed
Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE
Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security'
                                              Error occurred at line: 1
                                              Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): ip6tables-restore: unable to initialize table 'secur>

Somehow it seems than the ‘public’ zone got mangled:

[root@X log]# firewall-cmd --get-active-zones 
# Returns nothing

[root@X log]# firewall-cmd --zone=public --list-all
Error: INVALID_ZONE: public

Any ideas what could be wrong? I will gladly reset the firewall status and start from scratch.

Thanks!

What image is this based on?

John Harris

Hello John,

I did my installation using the ‘Everything’ distribution (not ‘Server or Workstation’).

–Jose

Not sure what is going on here but I can set rules with firewall-cmd:

firewall-cmd --set-default-zone=public
firewall-cmd --get-default-zone # Returns 'public'
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --permanent --add-port=7990/tcp
firewall-cmd --zone=public --permanent --add-port=7999/tcp
firewall-cmd --zone=public --permanent --add-port=8080/tcp

But the following commands return nothing:

firewall-cmd --get-active-zones
firewall-cmd --list-ports --zone=public
firewall-cmd --zone=public --list-services

You have to reload the permanent configuration in order for it to take effect via firewall-cmd --reload.

1 Like

Also note, that NetworkManager connection settings may override default firewall zone.

1 Like

That’s how I found the problem :-). Also checked the firewalld XML files, they look ‘sane’ to me, not corrupted or anything suspicious.

My network interface has only one override

[root@X ~]# egrep ZONE /etc/sysconfig/network-scripts/ifcfg-*
/etc/sysconfig/network-scripts/ifcfg-ens1f0:ZONE=public

This matches my configuration with firewall-cmd.

1 Like

I asked for help also on the firewalld Fedora mailing list and Eric Garver from Red Hat pointed out at the issue + solution.

I’m sharing here the whole solution so anyone else hitting this can benefit:

Hello Eric,

You are right about the missing modules, my kernel was not compiled with support for them:

[root@X ~]# egrep CONFIG_IP6_NF_SECURITY /lib/modules/$(uname -r)/config [root@X ~]# egrep CONFIG_IP_NF_SECURITY /lib/modules/$(uname -r)/config

I tried on a machine with and older kernel running Enterprise server:

egrep CONFIG_IP6_NF_SECURITY /boot/config-2.6.32-754.3.5.el6.x86_64
CONFIG_IP6_NF_SECURITY=m

So decided to check your bug-fix commit (fix: ipXtables: don't use tables that aren't available ¡ firewalld/firewalld@c46b089 ¡ GitHub) and tried on my non-production server:

(Kids please do not try this at home :-)):

[root@X ~]# cp -pv /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py.orig
[root@X ~]# curl --verbose --insecure --proxy 'XXX–proxy-user ‘XXX’ --output /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py https://raw.githubusercontent.com/firewalld/firewalld/c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8/src/firewall/core/ipXtables.py

And then restarted firewalld and checked the rules:

systemctl restart firewalld

[root@X ~]# systemctl status -l firewalld ● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2019-09-17 09:53:34 EDT; 6min ago
Docs: man:firewalld(1)
Main PID: 12128 (firewalld)
Tasks: 2 (limit: 9830)
Memory: 35.2M
CGroup: /system.slice/firewalld.service
└─12128 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Sep 17 09:53:33 X systemd[1]: Starting firewalld - dynamic firewall daemon…
Sep 17 09:53:34 X systemd[1]: Started firewalld - dynamic firewall daemon.

No errors this time!

Also polling settings with firewall-cmd works now:

[root@X ~]# firewall-cmd --get-active-zones public
interfaces: eno1 ens1f0 ens6f1np1
[root@X ~]# firewall-cmd --list-ports --zone=public 7990/tcp 7999/tcp 8080/tcp [root@X ~]# firewall-cmd --zone=public --list-services dhcpv6-client http https mdns ssh

I think this is fixed on https://download.fedoraproject.org/pub/fedora/linux/updates/30/Everything/SRPMS/Packages/f/firewalld-0.6.4-2.fc30.src.rpm as the build time for the RPM has a later date than your commit.

Thanks a lot for the help, problem fixed!

–Jose

1 Like