[CentOS] Firewalld

Emmett Culley lst_manage at webengineer.com
Thu Jan 28 20:09:35 UTC 2016


These machines have only had firewalld configured.  Currently firewalld version 0.3.9-14.el7 is installed, and in this particular case, the server is fully up to date.  If I run iptables -nvL I see this for the first chain:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 766K   72M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   75  5514 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
79630 5463K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
79630 5463K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
79630 5463K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  956 78983 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 2792  142K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

So firewalld was definitely used to generate the rules in iptables.  And indeed systemd starts it upon reboot.  It looks like only the GUI has a problem reading the configuration.  Note that the GUI does show that firewalld is connected.

There are other machines that have this same issue. Were there changes to config file locations, or permissions, as I know the GUI worked just find until just recently.  

Emmett

On 01/28/2016 11:58 AM, Gordon Messmer wrote:
> On 01/28/2016 11:26 AM, Emmett Culley wrote:
>> To my surprise, except for the interface definition for public and trusted zones, nothing seemed to be configured.  That is, none of the services were checked off that we want open at the firewall.  Also, this server is a gateway and masquerading and forwarding appears to be off as well.
> 
> Firewalld doesn't read the iptables state of the system, it relies on its own representation of the desired configuration.  You or another admin may have configured the iptables rules on that host using a service other than firewalld.  For instance, you may have added rules to /etc/sysconfig/{iptables,ip6tables} and run the "iptables" service.  In that case, firewalld would have no information about the rules that are present.  Check there first, then decide if you want to continue supporting that configuration or migrate to firewalld.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 




More information about the CentOS mailing list