[CentOS] Firewalld
Emmett Culley
lst_manage at webengineer.com
Tue Oct 13 01:23:11 UTC 2015
On 10/12/2015 10:17 AM, Gordon Messmer wrote:
> On 10/11/2015 03:00 PM, Emmett Culley wrote:
>> I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files.
>
> Rather than paraphrasing, could you show the specific rules, chains, or policies you're talking about? A standard firewalld rule set has the INPUT policy set to ACCEPT, with a terminal REJECT rule. An INPUT_ZONES table will direct to an IN_public table, with log, deny, and accept rules.
>
> Typically, the only rule that references an interface is the one in INPUT_ZONES that "goto"s IN_public_allow. It is neither REJECT nor ACCEPT, so it's really hard to guess what you're seeing that you don't expect to see.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
Contents of iptables INPUT_ZONE upon reboot
-----------------------------------------------
[root at dev2 ~]# iptables -nL INPUT_ZONES
Chain INPUT_ZONES (1 references)
target prot opt in out source destination
IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0
IN_public all -- eth1 * 0.0.0.0/0 0.0.0.0/0
IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------
Contents on iptables INPUT_ZONE after running 'systemctl restrat firewalld'
-----------------------------------------------
[root at dev2 ~]# iptables -nL INPUT_ZONES
Chain INPUT_ZONES (1 references)
target prot opt in out source destination
IN_trusted all -- eth1 * 0.0.0.0/0 0.0.0.0/0
IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0
IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------
I expect to see the second output upon reboot.
Emmett
More information about the CentOS
mailing list