kernel x86_64 3.8.4-202.fc18 firewall-cmd --version 0.2.12 Currently Firewalld firewall rules are not saved permanently and will not survive a reboot or reload. On dns server: firewall-cmd --zone=public --list-all public interfaces: eth0 services: ports: forward-ports: icmp-blocks: the firewall is preventing connections to the dns-services: no dns service or connections are allowed. on client: ping to dns server: ping 192.168.0.141 64 bytes from 192.168.0.141: icmp_seq=1 ttl=64 time=0.451 ms. telnet 192.168.0.141 53 trying 192.168.0.141 telnet: connection to address 192.168.0.141: No route to host. So the firewall is blocking port 53. (that’s correct) it is not opened yet. on dns-server: to use port 53 in a running configuration the document stated: firewall-cmd --zone=public --add-service=dns add --permanent option to make the rule persistent a reboot. firewall-cmd --permanent --zone=public --add-service=dns Now the dns service is visable: firewall-cmd --zone=public --list-all gives : public interfaces: eth0 services: dns ports: forward-ports: icmp-blocks: client machine: telnet 192.168.0.141 53 Trying 192.168.0.141 Connected to 192.168.0.141 Escape character is '^]' so the firewall is open for port 53. dns server: Reboot. on dns server: firewall-cmd --zone=public --list-all public interfaces: eth0 services: ports: forward-ports: icmp-blocks: all the rules are gone: on client: ping to dns server: ping 192.168.0.141 64 bytes from 192.168.0.141: icmp_seq=1 ttl=64 time=0.491 ms. telnet 192.168.0.141 53 trying 192.168.0.141 telnet: connection to address 192.168.0.141: No route to host. So the firewall is blocking port 53 again.
That's strange, I haven't seen any similar problem before. The --permanent option just modifies XML configuration files (in /etc/firewalld/), which are loaded during (re)start/reload. So there could either be a problem in 'firewall-cmd --permanent' wrongly modifying the XML files or in firewalld itself wrongly interpreting them. I need you to - add --debug option to FIREWALLD_ARGS in /etc/sysconfig/firewalld so the line looks like 'FIREWALLD_ARGS=--debug'. - systemctl restart firewalld - check content of /etc/firewalld/zones/public.xml - make some modification with firewall-cmd --permanent --zone=public ... - check content of /etc/firewalld/zones/public.xml again - systemctl restart firewalld - check /var/log/firewalld if you can see any errors/warnings Please report any oddities you'll encounter. Also, the public zone by default allows ssh, mdns and dhcpv6-client. Given that there are no services when you reboot ... had you removed these somehow ? Do you remember any other customizations you had made ?
Extra infromation: I installed Fedora as minimum install: No desktop manager etc, Selinux is permissive and targeted. after a reboot I indeed can only logon with ssh via console. Port 22 is also blocked after the reboot, because of the not saved rules. If I --add-service=ssh I can loggon again, untill the next reboot... I changed the setting to debug mode in /etc/system/firewalld The server I am using is a 2 function server: dhcp and dns (Bind). Reproduction of the bug: 1: remove the public.* files in /etc/firewalld/zones 2: firewall-cmd --zone=public --list-all gives me: public interfaces: services: mdns dhcpv6-client ssh ports: forward-ports: icm-blocks: the zone directory is empty (duh). 3: adding the services in the firewall firewall-cmd --permanent --zone=public --add-service=dns ls /etc/firewalld/zones gives: -rw-r--r--. root root 363 Apr 3 public.xml 4: now the problem starts: firewall-cmd --permanent --zone=public --add-service=dhcp gives: no error of rwhatsoever. ls /etc/firewalld/zones gives: -rw-r--r--. Root Root 388 Apr 3 public.xml -rw-r--r--. Root Root 363 Apr 3 public.xml.old So the file is updated contents of the public.xml file: <service name="dhcp"/> <service name="mdns"/> <service name="dhcpv6-client"/> <service name="dns"/> <service name="ssh"/> that looks good: But there is a problem with the dhcp service: if I want the unblock dhcp service: firewall-cmd --zone=public --add-service=dhcp I get error: INVALID_SERVICE: dhcp if I restart the firewalld service all the rules are gone. So in my opinion 3 things have to be corrected and done: 1: if you add a service that is a unknown service the firewall-cmd should not add this rule in the .xml files. 2: if you want to add a unknown services firewall-cmd must give a warning (duh) 3: is a unknown service is added in the .xml file all other rules must still be valid and added in firewalld. and the unknown service must be skipped. So actual the rules are saved. But due to an uknown or misconfigured services deleted in the firewall itself, deleting all other rules.
Thanks for the investigation Robert ! This is duplicate of bug #909466 and it has already been fixed upstream. I'll back-port the fix(es) to Fedora 18. *** This bug has been marked as a duplicate of bug 909466 ***