Bug 929385
Summary: | Firewalld rules are not saved permanently and will not survive a reboot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Vastenhoud <rvastenhoud> |
Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | jpopelka, twoerner |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-03 09:51:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Vastenhoud
2013-03-30 10:36:05 UTC
That's strange, I haven't seen any similar problem before. The --permanent option just modifies XML configuration files (in /etc/firewalld/), which are loaded during (re)start/reload. So there could either be a problem in 'firewall-cmd --permanent' wrongly modifying the XML files or in firewalld itself wrongly interpreting them. I need you to - add --debug option to FIREWALLD_ARGS in /etc/sysconfig/firewalld so the line looks like 'FIREWALLD_ARGS=--debug'. - systemctl restart firewalld - check content of /etc/firewalld/zones/public.xml - make some modification with firewall-cmd --permanent --zone=public ... - check content of /etc/firewalld/zones/public.xml again - systemctl restart firewalld - check /var/log/firewalld if you can see any errors/warnings Please report any oddities you'll encounter. Also, the public zone by default allows ssh, mdns and dhcpv6-client. Given that there are no services when you reboot ... had you removed these somehow ? Do you remember any other customizations you had made ? Extra infromation: I installed Fedora as minimum install: No desktop manager etc, Selinux is permissive and targeted. after a reboot I indeed can only logon with ssh via console. Port 22 is also blocked after the reboot, because of the not saved rules. If I --add-service=ssh I can loggon again, untill the next reboot... I changed the setting to debug mode in /etc/system/firewalld The server I am using is a 2 function server: dhcp and dns (Bind). Reproduction of the bug: 1: remove the public.* files in /etc/firewalld/zones 2: firewall-cmd --zone=public --list-all gives me: public interfaces: services: mdns dhcpv6-client ssh ports: forward-ports: icm-blocks: the zone directory is empty (duh). 3: adding the services in the firewall firewall-cmd --permanent --zone=public --add-service=dns ls /etc/firewalld/zones gives: -rw-r--r--. root root 363 Apr 3 public.xml 4: now the problem starts: firewall-cmd --permanent --zone=public --add-service=dhcp gives: no error of rwhatsoever. ls /etc/firewalld/zones gives: -rw-r--r--. Root Root 388 Apr 3 public.xml -rw-r--r--. Root Root 363 Apr 3 public.xml.old So the file is updated contents of the public.xml file: <service name="dhcp"/> <service name="mdns"/> <service name="dhcpv6-client"/> <service name="dns"/> <service name="ssh"/> that looks good: But there is a problem with the dhcp service: if I want the unblock dhcp service: firewall-cmd --zone=public --add-service=dhcp I get error: INVALID_SERVICE: dhcp if I restart the firewalld service all the rules are gone. So in my opinion 3 things have to be corrected and done: 1: if you add a service that is a unknown service the firewall-cmd should not add this rule in the .xml files. 2: if you want to add a unknown services firewall-cmd must give a warning (duh) 3: is a unknown service is added in the .xml file all other rules must still be valid and added in firewalld. and the unknown service must be skipped. So actual the rules are saved. But due to an uknown or misconfigured services deleted in the firewall itself, deleting all other rules. Thanks for the investigation Robert ! This is duplicate of bug #909466 and it has already been fixed upstream. I'll back-port the fix(es) to Fedora 18. *** This bug has been marked as a duplicate of bug 909466 *** |