After upgrading from F28 to F29, when trying to add a service with firewall-cmd I get: Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed Trying to remove an existing rich rule I get: Error: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist I have ipv6 completely disabled on this machine. iptables and iptables-libs packages are installed. I've tried installing the iptables-nft and iptables-utils packages which didn't help. Adding FirewallBackend=iptables and restarting firewalld as mentioned in #1614048 doesn't help. Let me know what other info I can provide. Thanks
There error messages from systemctl status firewalld: Nov 01 22:17:12 localhost firewalld[2559]: WARNING: iptables not usable, disabling IPv4 firewall. Nov 01 22:17:12 localhost firewalld[2559]: ERROR: UNKNOWN_ERROR: 'ip4tables' backend does not exist Nov 01 22:17:12 localhost firewalld[2559]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist Nov 01 22:17:12 localhost firewalld[2559]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): goto 'PRE_FedoraWorkstation' is not a chain Error occurred at line: 2 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Nov 01 22:17:12 localhost firewalld[2559]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): goto 'PRE_FedoraWorkstation' is not a chain Error occurred at line: 2 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
iptables -L gives: iptables v1.8.0 (legacy): can't initialize iptables table `filter': No child processes Perhaps iptables or your kernel needs to be upgraded.
Just tired firewalld 0.6.3 which is currently in updates-testing and the problem persists. https://bodhi.fedoraproject.org/updates/FEDORA-2018-77c401b989
(In reply to Devin Henderson from comment #2) > iptables -L gives: > > iptables v1.8.0 (legacy): can't initialize iptables table `filter': No child > processes > Perhaps iptables or your kernel needs to be upgraded. This implies iptables is not functional - this means the problem is outside of firewalld. Are you using a custom built kernel? It's possible the kernel doesn't have iptables support built-in. In the Description you said you disabled IPv6.. how? Are the iptables modules there? Try "sudo modprobe iptable_filter".
I have the same issue both using a custom kernel and using Fedora's kernel.
@Eric, yes, I'm on a custom kernel. I rebooted into the standard kernel today and sure enough that fixes it for me. Strange that @John is still having the issue on the standard kernel, though. I changed all of my iptables-related kernel configs to match Fedora's but that didn't help. What fixed it in the end was disabling CONFIG_BPFILTER in my custom kernel. Its working now for me. Thanks!
I have been able to determine that the issue on my end was unrelated to this issue, and was related to libvirtd.
I'll go ahead and close this. Thanks for the help!
Restarting firewalld in Fedora 30 results in this log spam, is this related? Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table mangle --delete LIBVIRT_PRT --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match by that name. Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: No chain/target/match by that name. Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: No chain/target/match by that name. Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed: iptables: No chain/target/match by that name. Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match by that name. Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match by that name. Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' specified#012Error occurred at line: 2#012Try `iptables-restore -h' or 'iptables-restore --help' for more information. Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' specified#012Error occurred at line: 2#012Try `iptables-restore -h' or 'iptables-restore --help' for more information.
(In reply to RobbieTheK from comment #9) > Restarting firewalld in Fedora 30 results in this log spam, is this related? No. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table mangle --delete LIBVIRT_PRT > --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM > --checksum-fill' failed: iptables: No chain/target/match by that name. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source > 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed: iptables: > Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source > 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed: > iptables: Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source > 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE > --to-ports 1024-65535' failed: iptables: No chain/target/match by that name. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source > 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE > --to-ports 1024-65535' failed: iptables: No chain/target/match by that name. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source > 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed: > iptables: No chain/target/match by that name. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI > --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack > --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule > (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source > 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad > rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX > --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: > iptables: Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI > --out-interface virbr0 --jump REJECT' failed: iptables: No > chain/target/match by that name. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO > --in-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match > by that name. > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP > --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' > failed: iptables: Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP > --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' > failed: iptables: Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT > --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' > failed: iptables: Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP > --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' > failed: iptables: Bad rule (does a matching rule exist in that chain?). > Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: > '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP > --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' > failed: iptables: Bad rule (does a matching rule exist in that chain?). These warnings are "normal". libvirt is attempting to remove rules that don't exist. I think libvirt tries to delete any pre-existing rules before adding them again. > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or > 'iptables-restore --help' for more information. > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED: > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): > invalid port/service `all' specified#012Error occurred at line: 2#012Try > `iptables-restore -h' or 'iptables-restore --help' for more information. This looks like broken config. Are you using any direct rules?
> > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore > > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' > > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or > > 'iptables-restore --help' for more information. > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED: > > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): > > invalid port/service `all' specified#012Error occurred at line: 2#012Try > > `iptables-restore -h' or 'iptables-restore --help' for more information. > > This looks like broken config. Are you using any direct rules? No I just used firewall-cmd rules. But here is iptables -nL iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination LIBVIRT_INP all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination LIBVIRT_FWX all -- 0.0.0.0/0 0.0.0.0/0 LIBVIRT_FWI all -- 0.0.0.0/0 0.0.0.0/0 LIBVIRT_FWO all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination LIBVIRT_OUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDI_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDI_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDI_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDO_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDO_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDO_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_FedoraServer (4 references) target prot opt source destination FWDI_FedoraServer_log all -- 0.0.0.0/0 0.0.0.0/0 FWDI_FedoraServer_deny all -- 0.0.0.0/0 0.0.0.0/0 FWDI_FedoraServer_allow all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 Chain FWDI_FedoraServer_allow (1 references) target prot opt source destination Chain FWDI_FedoraServer_deny (1 references) target prot opt source destination Chain FWDI_FedoraServer_log (1 references) target prot opt source destination Chain FWDO_FedoraServer (4 references) target prot opt source destination FWDO_FedoraServer_log all -- 0.0.0.0/0 0.0.0.0/0 FWDO_FedoraServer_deny all -- 0.0.0.0/0 0.0.0.0/0 FWDO_FedoraServer_allow all -- 0.0.0.0/0 0.0.0.0/0 Chain FWDO_FedoraServer_allow (1 references) target prot opt source destination Chain FWDO_FedoraServer_deny (1 references) target prot opt source destination Chain FWDO_FedoraServer_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535 match-set f2b-recidive src reject-with icmp-port-unreachable Chain IN_FedoraServer (4 references) target prot opt source destination IN_FedoraServer_log all -- 0.0.0.0/0 0.0.0.0/0 IN_FedoraServer_deny all -- 0.0.0.0/0 0.0.0.0/0 IN_FedoraServer_allow all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 Chain IN_FedoraServer_allow (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW,UNTRACKED ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ctstate NEW,UNTRACKED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW,UNTRACKED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED Chain IN_FedoraServer_deny (1 references) target prot opt source destination Chain IN_FedoraServer_log (1 references) target prot opt source destination Chain LIBVIRT_FWI (1 references) target prot opt source destination Chain LIBVIRT_FWO (1 references) target prot opt source destination Chain LIBVIRT_FWX (1 references) target prot opt source destination Chain LIBVIRT_INP (1 references) target prot opt source destination Chain LIBVIRT_OUT (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination
(In reply to RobbieTheK from comment #11) > > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore > > > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' > > > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or > > > 'iptables-restore --help' for more information. > > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED: > > > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): > > > invalid port/service `all' specified#012Error occurred at line: 2#012Try > > > `iptables-restore -h' or 'iptables-restore --help' for more information. > > > > This looks like broken config. Are you using any direct rules? > > No I just used firewall-cmd rules. But here is iptables -nL Someone or something (fail2ban ?) added direct rules. See below. It's possible that's the source of the bad rule. [..] > Chain INPUT_direct (1 references) > target prot opt source destination > REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport > dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable > REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport > dports 1:65535 match-set f2b-recidive src reject-with icmp-port-unreachable
(In reply to Eric Garver from comment #12) > (In reply to RobbieTheK from comment #11) > > > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore > > > > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' > > > > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or > > > > 'iptables-restore --help' for more information. > > > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED: > > > > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): > > > > invalid port/service `all' specified#012Error occurred at line: 2#012Try > > > > `iptables-restore -h' or 'iptables-restore --help' for more information. > > > > > > This looks like broken config. Are you using any direct rules? > > > > No I just used firewall-cmd rules. But here is iptables -nL > > Someone or something (fail2ban ?) added direct rules. See below. > It's possible that's the source of the bad rule. > > [..] > > Chain INPUT_direct (1 references) > > target prot opt source destination > > REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport > > dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable > > REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport > > dports 1:65535 match-set f2b-recidive src reject-with icmp-port-unreachable Yes indeed it was Fail2ban and a setting with the pam-generic jail. If anyone comes across this thread it was because banaction_allports = firewallcmd-ipset and removing that and just using the default fixed the issue.