I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files.
All servers are up to date.
By "just noticed" I mean that I finally investigated why a newly rebooted VM failed to allow NFS connections. Prior to doing that. I'd been stopping the firewall to get access, then restarting the firewall after setting the eth1 interface to ACCEPT. This time I took a look at iptables and found that eth1 was set to REJECT, before I stopped the firewall. Because it was obvious that firewalld had been started by systemd by noticing the output of iptabled -nvL had the same set of rules you can see when firewalld is restarted, except that after restart interface eth1 is set to ACCEPT.
I assume there must be a different set of configuration files that are accessed upon reboot than those accessed upon firewalld restart.
Note that all CentoOS 7 machines (VM and hardware) in our data center have this same issue.
Anyone know where and what those files are?
Emmett
On Sun, 2015-10-11 at 15:00 -0700, Emmett Culley wrote:
I assume there must be a different set of configuration files that are accessed upon reboot than those accessed upon firewalld restart.
The saved rules are under /etc/firewalld/zones. The rules for the default zone should be the ones loaded. The default zone is defined in /etc/firewalld/firewalld.conf.
On Mon, 12 Oct 2015, Ian Mortimer wrote:
On Sun, 2015-10-11 at 15:00 -0700, Emmett Culley wrote:
I assume there must be a different set of configuration files that are accessed upon reboot than those accessed upon firewalld restart.
The saved rules are under /etc/firewalld/zones. The rules for the default zone should be the ones loaded. The default zone is defined in /etc/firewalld/firewalld.conf.
It may be worth noting that most firewalld changes require two invocations of firewall-cmd, one with "--permanent" and one without:
# this makes an immediate change that will not last past next # reboot or service restart firewall-cmd --zone="public" --set-target="ACCEPT"
# this makes no immediate change, but it will take effect at # next reboot or service restart firewall-cmd --zone="public" --set-target="ACCEPT" --permanent
On 10/11/2015 03:00 PM, Emmett Culley wrote:
I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files.
Rather than paraphrasing, could you show the specific rules, chains, or policies you're talking about? A standard firewalld rule set has the INPUT policy set to ACCEPT, with a terminal REJECT rule. An INPUT_ZONES table will direct to an IN_public table, with log, deny, and accept rules.
Typically, the only rule that references an interface is the one in INPUT_ZONES that "goto"s IN_public_allow. It is neither REJECT nor ACCEPT, so it's really hard to guess what you're seeing that you don't expect to see.
On 10/12/2015 10:17 AM, Gordon Messmer wrote:
On 10/11/2015 03:00 PM, Emmett Culley wrote:
I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files.
Rather than paraphrasing, could you show the specific rules, chains, or policies you're talking about? A standard firewalld rule set has the INPUT policy set to ACCEPT, with a terminal REJECT rule. An INPUT_ZONES table will direct to an IN_public table, with log, deny, and accept rules.
Typically, the only rule that references an interface is the one in INPUT_ZONES that "goto"s IN_public_allow. It is neither REJECT nor ACCEPT, so it's really hard to guess what you're seeing that you don't expect to see.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Contents of iptables INPUT_ZONE upon reboot
----------------------------------------------- [root@dev2 ~]# iptables -nL INPUT_ZONES Chain INPUT_ZONES (1 references) target prot opt in out source destination IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- eth1 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------
Contents on iptables INPUT_ZONE after running 'systemctl restrat firewalld'
----------------------------------------------- [root@dev2 ~]# iptables -nL INPUT_ZONES Chain INPUT_ZONES (1 references) target prot opt in out source destination IN_trusted all -- eth1 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------
I expect to see the second output upon reboot.
Emmett
On 10/12/2015 10:03 PM, Gordon Messmer wrote:
On 10/12/2015 06:23 PM, Emmett Culley wrote:
I expect to see the second output upon reboot.
Thanks, that's a lot more clear. Weird, though. Does /etc/sysconfig/network-scripts/ifcfg-eth1 specify a "ZONE="? Are you using the "network" or the "NetworkManager" service? _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I never use NetworkManager except on portable machines. Can't see the need.
Here are the configuration files:
NAME="eth0" HWADDR=52:54:00:76:0D:7F ONBOOT=yes UUID="8ab7ac2c-c089-4f9f-bb65-1abb781fe912" IPV6INIT=no BOOTPROTO=none TYPE=Ethernet IPADDR=96.92.106.4 PREFIX=29 GATEWAY=96.92.106.6 NOZEROCONF=yes
and
NAME="eth1" HWADDR=52:54:00:B3:03:66 ONBOOT=yes UUID="1d590cef-d5a2-400e-89e3-3c618f785c41" IPV6INIT=no BOOTPROTO=none TYPE=Ethernet IPADDR=192.168.6.222 PREFIX=24 DNS1=192.168.6.1 IPV4_FAILURE_FATAL=no NOZEROCONF=yes
Emmett
On 10/13/2015 06:15 AM, Emmett Culley wrote:
I never use NetworkManager except on portable machines. Can't see the need.
In that case, specify a ZONE in ifcfg-eth1.
If you look at ifup-eth, you'll see that firewall-cmd is called during interface configuration. If no zone is specified, the default is used. I believe that firewalld starts first, configures the firewall correctly, and then the "network" service starts later and sets both interfaces into the default zone.
If you specify ZONE=trusted in ifcfg-eth1, then it'll be placed into that zone.
-
Emmett Culley -
Gordon Messmer -
Ian Mortimer -
Paul Heinlein