876390 – enabling firewalld on an existing system kills ssh and will not enable it

Bug 876390 - enabling firewalld on an existing system kills ssh and will not enable it

Summary: enabling firewalld on an existing system kills ssh and will not enable it

Keywords:
Status:	CLOSED DUPLICATE of bug 821938
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-11-14 00:57 UTC by Matthew Miller
Modified:	2012-11-21 13:31 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-11-21 13:31:55 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthew Miller 2012-11-14 00:57:58 UTC

Description of problem:

Logged into my test machine via ssh. Installed firewalld, and did systemctl enable firewalld.

Not surprisingly, my ssh connection immediately froze. Okay, fair enough.

Got console access. Typed

  firewall-cmd --add-service=ssh

Got back "warning: ALREADY_ENABLED"

SSH session still not responsive. Force-disconnected it. Still can't ssh in, though: "No route to host". 

Went back to console. Ran "iptables -F", which worked. (Obviously that's not the ideal state for a firewall and I'm sure a less-drastic manual rule would have worked as well.)



Version-Release number of selected component (if applicable):

firewalld-0.2.9-1.fc18.noarch

How reproducible:

Always


Steps to Reproduce:
1. install clean system without firewalld
2. install firewalld
  
Actual results:

ssh cannot be enabled

Expected results:

Not surprised to see initial connection dropped. Surprised that enable doesn't work.

Additional info:

Comment 1 Jiri Popelka 2012-11-14 15:40:31 UTC

(In reply to comment #0)
> did systemctl enable firewalld.

'systemctl enable' AFAIK just makes the symlinks, it doesn't start the service.
Did you mean 'systemctl start' ?

Anyway, neither 'systemctl enable' nor 'systemctl start' does not freeze the connection in my case. Can't see what I do differently.

> Steps to Reproduce:
> 1. install clean system without firewalld

I've thought firewalld has been in minimal install in F18.

Comment 2 Jiri Popelka 2012-11-14 16:00:40 UTC

firewalld is actually enabled by default [1] when you install it, so 'systemctl enable firewalld.service' does nothing.

[1] https://fedoraproject.org/wiki/Starting_services_by_default

Comment 3 Matthew Miller 2012-11-14 20:28:33 UTC

(In reply to comment #1)
> 'systemctl enable' AFAIK just makes the symlinks, it doesn't start the
> service.
> Did you mean 'systemctl start' ?

Yes, sorry.

> > Steps to Reproduce:
> > 1. install clean system without firewalld
> I've thought firewalld has been in minimal install in F18.

It is installed by anaconda but isn't in the @core group, so it isn't currently added by tools like appliance-creator. Conceivably, we could have a minimal JEOS image which doesn't have it, but someone might want to add it later -- that's the specific case I'm worried about here.

Comment 4 Matthew Miller 2012-11-21 13:31:55 UTC

Ah. I'm not running NetworkManager.

*** This bug has been marked as a duplicate of bug 821938 ***

Note You need to log in before you can comment on or make changes to this bug.