On 10/12/2015 10:17 AM, Gordon Messmer wrote:
On 10/11/2015 03:00 PM, Emmett Culley wrote:
I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files.
Rather than paraphrasing, could you show the specific rules, chains, or policies you're talking about? A standard firewalld rule set has the INPUT policy set to ACCEPT, with a terminal REJECT rule. An INPUT_ZONES table will direct to an IN_public table, with log, deny, and accept rules.
Typically, the only rule that references an interface is the one in INPUT_ZONES that "goto"s IN_public_allow. It is neither REJECT nor ACCEPT, so it's really hard to guess what you're seeing that you don't expect to see.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Contents of iptables INPUT_ZONE upon reboot
----------------------------------------------- [root@dev2 ~]# iptables -nL INPUT_ZONES Chain INPUT_ZONES (1 references) target prot opt in out source destination IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- eth1 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------
Contents on iptables INPUT_ZONE after running 'systemctl restrat firewalld'
----------------------------------------------- [root@dev2 ~]# iptables -nL INPUT_ZONES Chain INPUT_ZONES (1 references) target prot opt in out source destination IN_trusted all -- eth1 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------
I expect to see the second output upon reboot.
Emmett