Hello, I've been running firewalld-0.3.3-2 under Fedora 19. I created some rules with firewall-cmd to allow SSH and HTTP access. Everything works ok. Today I updated to firewalld-0.3.9.3-1. Now there is no SSH or HTTP access to the machine. Reverting to firewalld-0.3.3-2 fixes the problem. With firewalld-0.3.3-2: [root@green log]# firewall-cmd --state running [root@green log]# firewall-cmd --get-zones work drop internal external trusted home dmz public block [root@green log]# firewall-cmd --get-services cluster-suite kpasswd bacula-client smtp ipp radius mysql ms-wbt bacula transmission-client ftp mdns samba dhcpv6-client rpc-bind ldaps https ldap imaps samba-client vnc-server http dns ntp kerberos telnet libvirt openvpn ssh ipsec postgresql ipp-client amanda-client mountd tftp-client nfs tftp pop3s libvirt-tls [root@green log]# With firewalld-0.3.9.3-1: [root@green log]# firewall-cmd --state not running [root@green log]# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Mon 2014-03-10 18:39:25 EST; 9min ago Main PID: 4055 (firewalld) CGroup: name=systemd:/system/firewalld.service └─4055 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Mar 10 18:39:24 green.hackvana.com systemd[1]: Starting firewalld - dynamic firewall daemon... Mar 10 18:39:25 green.hackvana.com systemd[1]: Started firewalld - dynamic firewall daemon. Mar 10 18:47:12 green.hackvana.com systemd[1]: Started firewalld - dynamic firewall daemon. [root@green log]# firewall-cmd --get-zones [root@green log]# firewall-cmd --get-services [root@green log]# firewall-cmd --get-icmptypes [root@green log]# firewall-cmd --list-all-zones [root@green log]# firewall-cmd --get-default-zone [root@green log]# firewall-cmd --get-active-zones [root@green log]# I believe the original service definitions were created with: firewall-cmd --add-service=http firewall-cmd --permanent --add-service=http firewall-cmd --add-service=ssh firewall-cmd --permanent --add-service=ssh That's what the man page says to do. I didn't do anything fancier than that (no rich rules or anything) I'm running systemctl restart firewalld after changing the version of firewalld. There's nothing in /var/log/messages to suggest that firewalld didn't like its input. This problem is completely reproducable on this host: One version works, the other doesn't. I presume there's something in the firewalld config on the host that the newer firewalld doesn't like. I have no idea where to look, or why firewalld doesn't like it (where does firewalld log to?) I'm not a firewalld expert and don't want to be. I'm happy to run commands and paste output here in order to help debug the problem. This bug seems superficially similar to bug 1053878 in that updating triggers it. That bug has been marked as a duplicate of bug 1056154. I think this bug is not the same as bug 1056154, because I'm not using firewall-config (the machine is headless).
(In reply to Mitch Davis from comment #0) > I presume there's something in the firewalld config on the host that the > newer firewalld doesn't like. Yes, IMHO firewalld doesn't even load the configuration properly. > I have no idea where to look, or why > firewalld doesn't like it (where does firewalld log to?) logs are in /var/log/firewalld If you don't see anything strange in these logs, stop firewalld with # systemctl stop firewalld.service and try to run it with debugging info enabled: # firewalld --nofork --debug or even # firewalld --nofork --debug=2 save the output to file and attach it here. It'd also be great if you could make a tarball of your /etc/firewalld/ and attach it here.
I've just tried to # remove firewalld and all its configuration # install firewalld-0.3.3-2.fc19 # firewall-cmd --permanent --add-service=http # firewall-cmd --permanent --add-service=ssh # restart # update to firewalld-0.3.9.3-1.fc19 # restart and everything seems to be OK, so I really need to see the above requested info. Thanks.
Noted, I'll get the information and post it here.
Created attachment 873264 [details] A log of firewalld experiments
Created attachment 873265 [details] Files from /etc/firewalld
I've added the information as requested. The firewalld-0.3.3-2 non-fatal errors are interesting, as is the fatal firewalld-0.3.9.3-1 error. Please let me know if you'd like more information.
Could you show me output of # rpm -q iptables # uname -r Do you see any change when you add IPv6_rpfilter=no into /etc/firewalld/firewalld.conf
Created attachment 875039 [details] iptables with different versions of firewalld
Created attachment 875051 [details] Trying IPv6_rpfilter=no
With IPv6_rpfilter=no, I no longer get the errors, the state says "running", and I'm not locked out of the website.
Thanks. (In reply to Mitch Davis from comment #4) > Created attachment 873264 [details] > '/sbin/ip6tables -t raw -I PREROUTING 2 -m rpfilter --invert -j DROP' failed: > ip6tables: No chain/target/match by that name. There seems to be some problem with ip6tables' raw table or the ip6t_rpfilter module. When there's IPv6_rpfilter=yes in firewalld.conf we do: # ip6tables -t raw -I PREROUTING 1 -p icmpv6 --icmpv6-type=router-advertisement -j ACCEPT # ip6tables -t raw -I PREROUTING 2 -m rpfilter --invert -j DROP Strange is that only the second command fails, so I tend to think that it's some sort of ip6t_rpfilter module problem. (In reply to Mitch Davis from comment #8) > Created attachment 875039 [details] > # uname -r > 3.11.6-x86_64-linode35 Have you perhaps customized your kernel somehow ? (/me has no idea what the 'linode' means)
Linode is a large VPS company (http://www.linode.com) My understanding is that VPS instances are Xen clients, but I could be wrong. That kernel is the stock kernel that one gets with Fedora under Linode. Is there some additional information regarding iptables (and how firewalld is using it) that I can get for you?
Could you try these? # modprobe ip6t_rpfilter # lsmod | grep rpfilter # modinfo ip6t_rpfilter I made an upstream commit https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=33bf3b95dfaad451645ec274b905fd72e7000729 which should sanitize the missing/wrong ip6t_rpfilter kernel module. If you're willing to help testing it, you can replace your /usr/lib/python2.7/site-packages/firewall/core/fw.py with https://git.fedorahosted.org/cgit/firewalld.git/plain/src/firewall/core/fw.py Then set IPv6_rpfilter=yes in firewalld.conf and restart firewalld. Thanks!
If you're willing to help testing the fix, grab one of .repo files from https://copr.fedoraproject.org/coprs/jpopelka/FirewallD/ copy it into /etc/yum.repos.d/ and run 'yum update'. If you're not happy with the testing package, downgrade back with # yum distro-sync 'firewall*' In any case, I'll be glad if can leave a note here. Thanks !
firewalld-0.3.10-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/firewalld-0.3.10-1.fc20
Package firewalld-0.3.10-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.3.10-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6834/firewalld-0.3.10-1.fc20 then log in and leave karma (feedback).
firewalld-0.3.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.