Bug 876390

Summary: enabling firewalld on an existing system kills ssh and will not enable it
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-21 13:31:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Miller 2012-11-14 00:57:58 UTC 
Description of problem:

Logged into my test machine via ssh. Installed firewalld, and did systemctl enable firewalld.

Not surprisingly, my ssh connection immediately froze. Okay, fair enough.

Got console access. Typed

  firewall-cmd --add-service=ssh

Got back "warning: ALREADY_ENABLED"

SSH session still not responsive. Force-disconnected it. Still can't ssh in, though: "No route to host". 

Went back to console. Ran "iptables -F", which worked. (Obviously that's not the ideal state for a firewall and I'm sure a less-drastic manual rule would have worked as well.)



Version-Release number of selected component (if applicable):

firewalld-0.2.9-1.fc18.noarch

How reproducible:

Always


Steps to Reproduce:
1. install clean system without firewalld
2. install firewalld
  
Actual results:

ssh cannot be enabled

Expected results:

Not surprised to see initial connection dropped. Surprised that enable doesn't work.

Additional info:
Comment 1 Jiri Popelka 2012-11-14 15:40:31 UTC 
(In reply to comment #0)
> did systemctl enable firewalld.

'systemctl enable' AFAIK just makes the symlinks, it doesn't start the service.
Did you mean 'systemctl start' ?

Anyway, neither 'systemctl enable' nor 'systemctl start' does not freeze the connection in my case. Can't see what I do differently.

> Steps to Reproduce:
> 1. install clean system without firewalld

I've thought firewalld has been in minimal install in F18.
Comment 2 Jiri Popelka 2012-11-14 16:00:40 UTC 
firewalld is actually enabled by default [1] when you install it, so 'systemctl enable firewalld.service' does nothing.

[1] https://fedoraproject.org/wiki/Starting_services_by_default
Comment 3 Matthew Miller 2012-11-14 20:28:33 UTC 
(In reply to comment #1)
> 'systemctl enable' AFAIK just makes the symlinks, it doesn't start the
> service.
> Did you mean 'systemctl start' ?

Yes, sorry.

> > Steps to Reproduce:
> > 1. install clean system without firewalld
> I've thought firewalld has been in minimal install in F18.

It is installed by anaconda but isn't in the @core group, so it isn't currently added by tools like appliance-creator. Conceivably, we could have a minimal JEOS image which doesn't have it, but someone might want to add it later -- that's the specific case I'm worried about here.
Comment 4 Matthew Miller 2012-11-21 13:31:55 UTC 
Ah. I'm not running NetworkManager.

*** This bug has been marked as a duplicate of bug 821938 ***