CentOS - Jan 2016 - Firewalld

Yesterday I noticed that I was not able to ping one of our development servers
so I logged in via VNC and ran the Firewalld GUI.

To my surprise, except for the interface definition for public and trusted
zones, nothing seemed to be configured.  That is, none of the services were
checked off that we want open at the firewall.  Also, this server is a gateway
and masquerading and forwarding appears to be off as well.

So it looks like the GUI is not correctly reading the firewalld configuration.

I can find nothing in Google bout this.

Emmett

On 01/28/2016 11:26 AM, Emmett Culley wrote:
> To my surprise, except for the interface definition for public and trusted
zones, nothing seemed to be configured.  That is, none of the services were
checked off that we want open at the firewall.  Also, this server is a gateway
and masquerading and forwarding appears to be off as well.
Firewalld doesn't read the iptables state of the system, it relies on 
its own representation of the desired configuration.  You or another 
admin may have configured the iptables rules on that host using a 
service other than firewalld.  For instance, you may have added rules to 
/etc/sysconfig/{iptables,ip6tables} and run the "iptables" service. 
In
that case, firewalld would have no information about the rules that are 
present.  Check there first, then decide if you want to continue 
supporting that configuration or migrate to firewalld.

These machines have only had firewalld configured.  Currently firewalld version
0.3.9-14.el7 is installed, and in this particular case, the server is fully up
to date.  If I run iptables -nvL I see this for the first chain:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 766K   72M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
   75  5514 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
79630 5463K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
79630 5463K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
79630 5463K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  956 78983 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 2792  142K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

So firewalld was definitely used to generate the rules in iptables.  And indeed
systemd starts it upon reboot.  It looks like only the GUI has a problem reading
the configuration.  Note that the GUI does show that firewalld is connected.

There are other machines that have this same issue. Were there changes to config
file locations, or permissions, as I know the GUI worked just find until just
recently.

Emmett

On 01/28/2016 11:58 AM, Gordon Messmer wrote:
> On 01/28/2016 11:26 AM, Emmett Culley wrote:
>> To my surprise, except for the interface definition for public and
trusted zones, nothing seemed to be configured.  That is, none of the services
were checked off that we want open at the firewall.  Also, this server is a
gateway and masquerading and forwarding appears to be off as well.
> 
> Firewalld doesn't read the iptables state of the system, it relies on
its own representation of the desired configuration.  You or another admin may
have configured the iptables rules on that host using a service other than
firewalld.  For instance, you may have added rules to
/etc/sysconfig/{iptables,ip6tables} and run the "iptables" service. 
In that case, firewalld would have no information about the rules that are
present.  Check there first, then decide if you want to continue supporting that
configuration or migrate to firewalld.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>