nunezjos
(Jose Vicente Nunez)
1
Hello team,
I installed a server using Kickstart and setup firewalld with the following flags:
firewall --enabled --ssh --http
However after rebooting the machine for the first time I see there are errors when the firewall comes up:
Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE
Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 11 failed
Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed
Sep 11 16:51:32 X firewalld[36540]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed
Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE
Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): ip6tables-restore: unable to initialize table 'secur>
Somehow it seems than the âpublicâ zone got mangled:
[root@X log]# firewall-cmd --get-active-zones
# Returns nothing
[root@X log]# firewall-cmd --zone=public --list-all
Error: INVALID_ZONE: public
Any ideas what could be wrong? I will gladly reset the firewall status and start from scratch.
Thanks!
JohnMH
(John M. Harris, Jr )
2
What image is this based on?
John Harris
nunezjos
(Jose Vicente Nunez)
3
Hello John,
I did my installation using the âEverythingâ distribution (not âServer or Workstationâ).
âJose
nunezjos
(Jose Vicente Nunez)
4
Not sure what is going on here but I can set rules with firewall-cmd:
firewall-cmd --set-default-zone=public
firewall-cmd --get-default-zone # Returns 'public'
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --permanent --add-port=7990/tcp
firewall-cmd --zone=public --permanent --add-port=7999/tcp
firewall-cmd --zone=public --permanent --add-port=8080/tcp
But the following commands return nothing:
firewall-cmd --get-active-zones
firewall-cmd --list-ports --zone=public
firewall-cmd --zone=public --list-services
refi64
(Ryan Gonzalez)
5
You have to reload the permanent configuration in order for it to take effect via firewall-cmd --reload
.
1 Like
vgaetera
(Vladislav Grigoryev)
6
Also note, that NetworkManager connection settings may override default firewall zone.
1 Like
nunezjos
(Jose Vicente Nunez)
7
Thatâs how I found the problem :-). Also checked the firewalld XML files, they look âsaneâ to me, not corrupted or anything suspicious.
nunezjos
(Jose Vicente Nunez)
8
My network interface has only one override
[root@X ~]# egrep ZONE /etc/sysconfig/network-scripts/ifcfg-*
/etc/sysconfig/network-scripts/ifcfg-ens1f0:ZONE=public
This matches my configuration with firewall-cmd.
1 Like
nunezjos
(Jose Vicente Nunez)
9
I asked for help also on the firewalld Fedora mailing list and Eric Garver from Red Hat pointed out at the issue + solution.
Iâm sharing here the whole solution so anyone else hitting this can benefit:
Hello Eric,
You are right about the missing modules, my kernel was not compiled with support for them:
[root@X ~]# egrep CONFIG_IP6_NF_SECURITY /lib/modules/$(uname -r)/config [root@X ~]# egrep CONFIG_IP_NF_SECURITY /lib/modules/$(uname -r)/config
I tried on a machine with and older kernel running Enterprise server:
egrep CONFIG_IP6_NF_SECURITY /boot/config-2.6.32-754.3.5.el6.x86_64
CONFIG_IP6_NF_SECURITY=m
So decided to check your bug-fix commit (fix: ipXtables: don't use tables that aren't available ¡ firewalld/firewalld@c46b089 ¡ GitHub) and tried on my non-production server:
(Kids please do not try this at home :-)):
[root@X ~]# cp -pv /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py.orig
[root@X ~]# curl --verbose --insecure --proxy 'XXXâproxy-user âXXXâ --output /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py https://raw.githubusercontent.com/firewalld/firewalld/c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8/src/firewall/core/ipXtables.py
And then restarted firewalld and checked the rules:
systemctl restart firewalld
[root@X ~]# systemctl status -l firewalld â firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2019-09-17 09:53:34 EDT; 6min ago
Docs: man:firewalld(1)
Main PID: 12128 (firewalld)
Tasks: 2 (limit: 9830)
Memory: 35.2M
CGroup: /system.slice/firewalld.service
ââ12128 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Sep 17 09:53:33 X systemd[1]: Starting firewalld - dynamic firewall daemonâŚ
Sep 17 09:53:34 X systemd[1]: Started firewalld - dynamic firewall daemon.
No errors this time!
Also polling settings with firewall-cmd works now:
[root@X ~]# firewall-cmd --get-active-zones public
interfaces: eno1 ens1f0 ens6f1np1
[root@X ~]# firewall-cmd --list-ports --zone=public 7990/tcp 7999/tcp 8080/tcp [root@X ~]# firewall-cmd --zone=public --list-services dhcpv6-client http https mdns ssh
I think this is fixed on https://download.fedoraproject.org/pub/fedora/linux/updates/30/Everything/SRPMS/Packages/f/firewalld-0.6.4-2.fc30.src.rpm as the build time for the RPM has a later date than your commit.
Thanks a lot for the help, problem fixed!
âJose
1 Like