| Summary: | firewalld not properly supporting samba & ftp from ver 0.4.4.1-1.fc24 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | dan |
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | dan, Jeroen.Huisman, joe, johncwoods, michael.finn.jorgensen, phceac, twoerner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-22 11:40:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
dan
2016-11-16 22:55:02 UTC
On further check, the situation seems to be more serious. Samba cannot be accessed from the network when firewalld is running, disabling firewalld allows access. Will see if I can gather some additional info. Iptables output does not show that firewalld has inserted a rule for samba, ie ports 139/tcp, 445/tcp, etc. Now I also see that trying to uncheck samba from the FedoraServer policy also triggers the error as above. I next used firewalld to create an samba-workaround object with the proper ports, then reloaded firewalld. Reload of firewalld also shows: Nov 16 19:53:13 ears.private firewalld[3934]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel I next selected samba-workaround in the FedoraServer policy and it created the rules in iptables. Issue worked around but obviously a serious problem for anyone running firewalld and samba. The issue began today after a dnf upgrade: Nov 16 12:32:52 DEBUG ---> Package firewalld.noarch 0.4.3.3-1.fc24 will be upgraded Nov 16 12:32:52 DEBUG ---> Package firewalld.noarch 0.4.4.1-1.fc24 will be an upgrade Nov 16 12:32:52 DEBUG ---> Package firewalld-filesystem.noarch 0.4.3.3-1.fc24 will be upgraded Nov 16 12:32:52 DEBUG ---> Package firewalld-filesystem.noarch 0.4.4.1-1.fc24 will be an upgrade ftp also affected with similar error, unable to load nf_conntrack_ftp, not in kernel. Modprobe of modules prior to starting firewalld does not help. Added info: A "systemctl status firewalld" results in: Nov 17 11:21:55 bilbo systemd[1]: Starting firewalld - dynamic firewall daemon... Nov 17 11:22:01 bilbo systemd[1]: Started firewalld - dynamic firewall daemon. Nov 17 11:22:15 bilbo firewalld[724]: WARNING: INVALID_HELPER: 'nf_conntrack_ftp' not available in kernel Nov 17 11:22:17 bilbo firewalld[724]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel Identical issue on Fedora 24 kernel 4.8.8-200.fc24.armv7hl Upgraded: Nov 21 10:21:22 DEBUG ---> Package firewall-config.noarch 0.4.3.3-1.fc24 will be upgraded Nov 21 10:21:22 DEBUG ---> Package firewall-config.noarch 0.4.4.1-1.fc24 will be an upgrade Nov 21 10:21:22 DEBUG ---> Package firewalld.noarch 0.4.3.3-1.fc24 will be upgraded Nov 21 10:21:22 DEBUG ---> Package firewalld.noarch 0.4.4.1-1.fc24 will be an upgrade Nov 21 10:21:22 DEBUG ---> Package firewalld-filesystem.noarch 0.4.3.3-1.fc24 will be upgraded Nov 21 10:21:22 DEBUG ---> Package firewalld-filesystem.noarch 0.4.4.1-1.fc24 will be an upgrade *** This bug has been marked as a duplicate of bug 1394597 *** |