Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Sat Dec 17, 2016 10:40 pm 
Offline

Joined: Sat Dec 17, 2016 10:33 pm
Posts: 1
Hi, i'm trying to use firewalld to allow access to certain services (http, https, ssh over non standard port, smtp and ftp):
Code:
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=smtp
So far, so good, but when i try to reload the rules (firewall-cmd --reload), i just get a ERROR: COMMAND_FAILED and no rules added to iptables :/
Is anyone having this issue? I tried some google-fu but other errors where showing the failed command, mine is totally empty...


Top
   
PostPosted: Tue Jan 03, 2017 9:31 pm 
Offline
Senior Member
User avatar

Joined: Sun Jan 24, 2016 4:30 am
Posts: 224
Are you sure firewalld is running? (try: systemctl start firewalld)

You might have a problem with the configuration files, take a look under /etc/firewalld/ and see if any of the xml files are corrupted or just wrong. If you want, you can delete them and start fresh, in case the problem is with some old command that you've run in the past.

_________________
:idea: I love my computer... all my friends live there.


Top
   
PostPosted: Sat Mar 25, 2017 6:27 pm 
Offline

Joined: Sat Mar 25, 2017 5:49 pm
Posts: 1
Same issue here.
Code:
[root@Zeno ~]# systemctl start firewalld
[root@Zeno ~]# sudo systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-03-25 23:03:33 CET; 4s ago
     Docs: man:firewalld(1)
  Process: 5273 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 5326 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5326 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Mar 25 23:03:33 Zeno systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 25 23:03:33 Zeno systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 25 23:03:33 Zeno firewalld[5326]: ERROR: COMMAND_FAILED
Mar 25 23:03:33 Zeno firewalld[5326]: WARNING: '/usr/sbin/iptables-restore -n' failed:
Mar 25 23:03:33 Zeno firewalld[5326]: WARNING: '/usr/sbin/ip6tables-restore -n' failed:
Mar 25 23:03:33 Zeno firewalld[5326]: ERROR: COMMAND_FAILED
Code:
[root@Zeno ~]# firewall-cmd --state
not running
I have no idea where to start looking for a solution.

Didn't mess with any .xml file. Only used firewall-cmd.
Reinstalled firewalld
Removed zone.xml files


Top
   
PostPosted: Sun Mar 26, 2017 3:29 am 
Offline
Senior Member
User avatar

Joined: Sun Jan 24, 2016 4:30 am
Posts: 224
I am not sure how you ended up like this, maybe you can re-trace your steps and see what you touched on that server that broke the firewall?

Also, take a look at /var/log/messages, maybe you'll get more errors there, which could help identify the problem.

You could also reinstall the firewall rpm, for example:
Code:
yum reinstall firewalld-filesystem-0.4.3.2-8.1.el7_3.2.noarch firewalld-0.4.3.2-8.1.el7_3.2.noarch
(don't copy/paste the above, first make sure the version numbers are the same in your system)

_________________
:idea: I love my computer... all my friends live there.


Top
   
PostPosted: Tue May 09, 2017 3:49 pm 
Offline
Newbie

Joined: Tue May 09, 2017 3:32 pm
Posts: 4
Similar issue here after doing a yum update to CentOS 7.3 today.

Rebooted and firewall preventing any external connections.

Using lish I found the problem was with the firewalld config.
firewall-cmd --get-active-zones returns nothing
firewall-cmd --list-interfaces returns nothing
firewall-cmd --permanent --zone=public --change-interface=eth0 looks like it succeeds and tells me that it's already in that zone if I re-run it but --get-active-zones still returns nothing

--list-zones shows all the zones and the public zone is still there with the correct services in it as before the update, but it's just not associated with that interface.

A few bits from /var/log/messages -
firewalld: WARNING: '/usr/sbin/iptables-restore -n' failed:
firewalld: WARNING: '/usr/sbin/ip6tables-restore -n' failed:
firewalld: ERROR: COMMAND_FAILED
kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
NetworkManager[3314]: <warn> [1494357834.7334] firewall: [0x557a80124290,change:"eth0"]: complete: request failed (COMMAND_FAILED)


There's some kind of borkage to do with the interface scripts, network manager and firewalld.

Does anyone have any suggestions? Ive done a yum remove and install of firewalld to no effect.

TIA!
Neil


Top
   
PostPosted: Tue May 09, 2017 5:09 pm 
Offline
Senior Member
User avatar

Joined: Sun Jan 24, 2016 4:30 am
Posts: 224
blue30,

the above errors look like they are coming from the underlying iptables and not firewalld.

maybe your kernel has not been compiled with the required modules to support the full features needed by iptables? my suggestion at this point, is to switch to the real CentOS kernel, which we know is fully featured and see if that fixes your problem.

_________________
:idea: I love my computer... all my friends live there.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
RSS

Powered by phpBB® Forum Software © phpBB Group