Bug 1531545
| Summary: | [RFE] Flush all the rules of firewalld using a single command. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Akhil John <ajohn> |
| Component: | firewalld | Assignee: | Eric Garver <egarver> |
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | atragler, jnikolak, mstuff, pasik, redhat, rkhan, todoleza |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-08 07:26:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Akhil John
2018-01-05 13:17:09 UTC
Indeed there's no possibility to apply default configuration without unloading modules, that's when the default is applied by restarting the whole service. and `--complete-reload` leaves e.g. direct rules in place I think you're looking for a command line: $ firewalld --permanent --reset-to-defaults Is that true? Yes Copying relevant files from /usr/lib/firewalld/zones to /etc/firewalld/zones seemed to do the trick for me. Hope I'm correct... (In reply to morgan read from comment #6) > Copying relevant files from /usr/lib/firewalld/zones to /etc/firewalld/zones > seemed to do the trick for me. Hope I'm correct... If items in /etc/firewalld don't exist the defaults from /usr/lib/firewalld will be used. Copying them is okay. You could have simply removed the zones in /etc/firewalld/zones instead. This solution definitely does work and I've tested it.
@localhost /]# rm -rf /etc/firewalld/zones/
@localhost /]# cp -r /usr/lib/firewalld/zones /etc/firewalld/zones
@localhost /]# firewall-cmd --reload
@localhost /]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
@localhost /]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-09-24 12:30:08 AEST; 5min ago
Docs: man:firewalld(1)
Main PID: 30469 (firewalld)
CGroup: /system.slice/firewalld.service
└─30469 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Sep 24 12:30:08 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 24 12:30:08 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
RFE could perhaps attach a firewall-cmd command that would run the commands below. It could be with a backup-directory option, which is less crude.
#!/usr/bin/bash
rm -rf /etc/firewalld/zones/
cp -r /usr/lib/firewalld/zones /etc/firewalld/zones
firewall-cmd --reload
echo "Default Firewalld has been applied"
systemctl status firewalld
(In reply to jnikolak from comment #9) > This solution definitely does work and I've tested it. [..] > RFE could perhaps attach a firewall-cmd command that would run the commands > below. It could be with a backup-directory option, which is less crude. > > #!/usr/bin/bash > rm -rf /etc/firewalld/zones/ > cp -r /usr/lib/firewalld/zones /etc/firewalld/zones The copy is not necessary. Firewalld will do the copy itself when the user modifies one of the built-in zones. But the directory /etc/firewalld/zones should remain. The first line should be rm -rf /etc/firewalld/zones/* > firewall-cmd --reload > echo "Default Firewalld has been applied" > systemctl status firewalld There are also other user configs for services, helpers, etc under /etc/firewalld. But those only have an effect if referenced from a zone. (In reply to Eric Garver from comment #10) > There are also other user configs for services, helpers, etc under > /etc/firewalld. But those only have an effect if referenced from a zone. There is also /etc/firewalld/firewalld.conf. It _should_ be possible to also delete firewalld.conf and firewalld will use the defaults. Although I've not verified this. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Since it's not a built-in feature, this simple script works for me. YMMV
# cat clear-all-fw-rules
firewall-cmd --list-all --permanent | grep family | tr '\011' ' ' | \
while read -r LINE
do
echo -n "${LINE}":
firewall-cmd --remove-rich-rule="${LINE}" --permanent
done
# ./clear-all-fw-rules
rule family="ipv4" source address="221.150.141.252/24" log level="warning" drop:success
rule family="ipv4" source address="139.162.205.145/24" log level="warning" drop:success
rule family="ipv4" source address="185.162.235.162/24" log level="warning" drop:success
..
Description of problem:
Firewalld doesn't have a single command to flush all the rules like that we have with #iptables -F so that the firewalld will be back to the default state.
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
|