Firewalld fails to reload rules on Centos7
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=smtp
So far, so good, but when i try to reload the rules (firewall-cmd –reload), i just get a ERROR: COMMAND_FAILED and no rules added to iptables :/
Is anyone having this issue? I tried some google-fu but other errors where showing the failed command, mine is totally empty…
7 Replies
You might have a problem with the configuration files, take a look under /etc/firewalld/ and see if any of the xml files are corrupted or just wrong. If you want, you can delete them and start fresh, in case the problem is with some old command that you've run in the past.
[root@Zeno ~]# systemctl start firewalld
[root@Zeno ~]# sudo systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-03-25 23:03:33 CET; 4s ago
Docs: man:firewalld(1)
Process: 5273 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 5326 (firewalld)
CGroup: /system.slice/firewalld.service
└─5326 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Mar 25 23:03:33 Zeno systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 25 23:03:33 Zeno systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 25 23:03:33 Zeno firewalld[5326]: ERROR: COMMAND_FAILED
Mar 25 23:03:33 Zeno firewalld[5326]: WARNING: '/usr/sbin/iptables-restore -n' failed:
Mar 25 23:03:33 Zeno firewalld[5326]: WARNING: '/usr/sbin/ip6tables-restore -n' failed:
Mar 25 23:03:33 Zeno firewalld[5326]: ERROR: COMMAND_FAILED
[root@Zeno ~]# firewall-cmd --state
not running
I have no idea where to start looking for a solution.
Didn't mess with any .xml file. Only used firewall-cmd.
Reinstalled firewalld
Removed zone.xml files
Also, take a look at /var/log/messages, maybe you'll get more errors there, which could help identify the problem.
You could also reinstall the firewall rpm, for example:
yum reinstall firewalld-filesystem-0.4.3.2-8.1.el7_3.2.noarch firewalld-0.4.3.2-8.1.el7_3.2.noarch
(don't copy/paste the above, first make sure the version numbers are the same in your system)
Rebooted and firewall preventing any external connections.
Using lish I found the problem was with the firewalld config.
firewall-cmd –get-active-zones returns nothing
firewall-cmd --list-interfaces returns nothing
firewall-cmd --permanent --zone=public --change-interface=eth0 looks like it succeeds and tells me that it's already in that zone if I re-run it but --get-active-zones still returns nothing
--list-zones shows all the zones and the public zone is still there with the correct services in it as before the update, but it's just not associated with that interface.
A few bits from /var/log/messages -
firewalld: WARNING: '/usr/sbin/iptables-restore -n' failed:
firewalld: WARNING: '/usr/sbin/ip6tables-restore -n' failed:
firewalld: ERROR: COMMAND_FAILED
kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
NetworkManager[3314]:
There's some kind of borkage to do with the interface scripts, network manager and firewalld.
Does anyone have any suggestions? Ive done a yum remove and install of firewalld to no effect.
TIA!
Neil
the above errors look like they are coming from the underlying iptables and not firewalld.
maybe your kernel has not been compiled with the required modules to support the full features needed by iptables? my suggestion at this point, is to switch to the real CentOS kernel, which we know is fully featured and see if that fixes your problem.
First backing up /etc/firewalld/direct.xml and then remove /etc/firewalld/direct.xml. After which firewall-cmd --reload didn't gave any issue. Hope this helps.