Firewalld fails to reload rules on Centos7

Hi, i'm trying to use firewalld to allow access to certain services (http, https, ssh over non standard port, smtp and ftp):

firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=smtp

So far, so good, but when i try to reload the rules (firewall-cmd –reload), i just get a ERROR: COMMAND_FAILED and no rules added to iptables :/

Is anyone having this issue? I tried some google-fu but other errors where showing the failed command, mine is totally empty…

7 Replies

Are you sure firewalld is running? (try: systemctl start firewalld)

You might have a problem with the configuration files, take a look under /etc/firewalld/ and see if any of the xml files are corrupted or just wrong. If you want, you can delete them and start fresh, in case the problem is with some old command that you've run in the past.

Same issue here.

[root@Zeno ~]# systemctl start firewalld
[root@Zeno ~]# sudo systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-03-25 23:03:33 CET; 4s ago
     Docs: man:firewalld(1)
  Process: 5273 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 5326 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5326 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Mar 25 23:03:33 Zeno systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 25 23:03:33 Zeno systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 25 23:03:33 Zeno firewalld[5326]: ERROR: COMMAND_FAILED
Mar 25 23:03:33 Zeno firewalld[5326]: WARNING: '/usr/sbin/iptables-restore -n' failed:
Mar 25 23:03:33 Zeno firewalld[5326]: WARNING: '/usr/sbin/ip6tables-restore -n' failed:
Mar 25 23:03:33 Zeno firewalld[5326]: ERROR: COMMAND_FAILED
[root@Zeno ~]# firewall-cmd --state
not running

I have no idea where to start looking for a solution.

Didn't mess with any .xml file. Only used firewall-cmd.

Reinstalled firewalld

Removed zone.xml files

I am not sure how you ended up like this, maybe you can re-trace your steps and see what you touched on that server that broke the firewall?

Also, take a look at /var/log/messages, maybe you'll get more errors there, which could help identify the problem.

You could also reinstall the firewall rpm, for example:

yum reinstall firewalld-filesystem-0.4.3.2-8.1.el7_3.2.noarch firewalld-0.4.3.2-8.1.el7_3.2.noarch

(don't copy/paste the above, first make sure the version numbers are the same in your system)

Similar issue here after doing a yum update to CentOS 7.3 today.

Rebooted and firewall preventing any external connections.

Using lish I found the problem was with the firewalld config.

firewall-cmd –get-active-zones returns nothing

firewall-cmd --list-interfaces returns nothing

firewall-cmd --permanent --zone=public --change-interface=eth0 looks like it succeeds and tells me that it's already in that zone if I re-run it but --get-active-zones still returns nothing

--list-zones shows all the zones and the public zone is still there with the correct services in it as before the update, but it's just not associated with that interface.

A few bits from /var/log/messages -

firewalld: WARNING: '/usr/sbin/iptables-restore -n' failed:

firewalld: WARNING: '/usr/sbin/ip6tables-restore -n' failed:

firewalld: ERROR: COMMAND_FAILED

kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

NetworkManager[3314]: [1494357834.7334] firewall: [0x557a80124290,change:"eth0"]: complete: request failed (COMMAND_FAILED)

There's some kind of borkage to do with the interface scripts, network manager and firewalld.

Does anyone have any suggestions? Ive done a yum remove and install of firewalld to no effect.

TIA!

Neil

blue30,

the above errors look like they are coming from the underlying iptables and not firewalld.

maybe your kernel has not been compiled with the required modules to support the full features needed by iptables? my suggestion at this point, is to switch to the real CentOS kernel, which we know is fully featured and see if that fixes your problem.

you can check
/etc/firewalld/direct.xml
igonre iptable rules setting

First backing up /etc/firewalld/direct.xml and then remove /etc/firewalld/direct.xml. After which firewall-cmd --reload didn't gave any issue. Hope this helps.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct