thr3ads.net - CentOS - [CentOS] Firewalld [Oct 2015]

If this information is useful, please help other people find it:
Share via:

Emmett Culley

2015-Oct-13 01:23 UTC

[CentOS] Firewalld

On 10/12/2015 10:17 AM, Gordon Messmer wrote:> On 10/11/2015 03:00 PM, Emmett Culley wrote:
>> I just noticed that when rebooting a CentOS 7 server the firewall comes
back up with both interfaces set to REJECT, instead of the eth1 interface set to
ACCEPT as defined in 'permanent' firewalld configuration files.
> 
> Rather than paraphrasing, could you show the specific rules, chains, or
policies you're talking about?  A standard firewalld rule set has the INPUT
policy set to ACCEPT, with a terminal REJECT rule.  An INPUT_ZONES table will
direct to an IN_public table, with log, deny, and accept rules.
> 
> Typically, the only rule that references an interface is the one in
INPUT_ZONES that "goto"s IN_public_allow.  It is neither REJECT nor
ACCEPT, so it's really hard to guess what you're seeing that you
don't expect to see.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
Contents of iptables INPUT_ZONE upon reboot

-----------------------------------------------
[root at dev2 ~]# iptables -nL INPUT_ZONES
Chain INPUT_ZONES (1 references)
target     prot opt in     out     source               destination         
IN_public all  -- eth0 * 0.0.0.0/0 0.0.0.0/0
IN_public all  -- eth1 * 0.0.0.0/0 0.0.0.0/0
IN_public all  -- +      *       0.0.0.0/0            0.0.0.0/0           

-----------------------------------------------

Contents on iptables INPUT_ZONE after running 'systemctl restrat
firewalld'

-----------------------------------------------
[root at dev2 ~]# iptables -nL INPUT_ZONES
Chain INPUT_ZONES (1 references)
target     prot opt in     out     source               destination         
IN_trusted  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
IN_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           

-----------------------------------------------

I expect to see the second output upon reboot.

Emmett

Gordon Messmer

2015-Oct-13 05:03 UTC

head link

[CentOS] Firewalld

On 10/12/2015 06:23 PM, Emmett Culley wrote:> I expect to see the second output upon reboot.
Thanks, that's a lot more clear.  Weird, though.  Does 
/etc/sysconfig/network-scripts/ifcfg-eth1 specify a "ZONE="?  Are you 
using the "network" or the "NetworkManager" service?

Emmett Culley

2015-Oct-13 13:15 UTC

head link

[CentOS] Firewalld

On 10/12/2015 10:03 PM, Gordon Messmer wrote:> On 10/12/2015 06:23 PM, Emmett Culley wrote:
>> I expect to see the second output upon reboot.
> 
> Thanks, that's a lot more clear.  Weird, though.  Does
/etc/sysconfig/network-scripts/ifcfg-eth1 specify a "ZONE="?  Are you
using the "network" or the "NetworkManager" service?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> I never use NetworkManager except on portable machines.  Can't see the need.

Here are the configuration files:

NAME="eth0"
HWADDR=52:54:00:76:0D:7F
ONBOOT=yes
UUID="8ab7ac2c-c089-4f9f-bb65-1abb781fe912"
IPV6INIT=no
BOOTPROTO=none
TYPE=Ethernet
IPADDR=96.92.106.4
PREFIX=29
GATEWAY=96.92.106.6
NOZEROCONF=yes

and

NAME="eth1"
HWADDR=52:54:00:B3:03:66
ONBOOT=yes
UUID="1d590cef-d5a2-400e-89e3-3c618f785c41"
IPV6INIT=no
BOOTPROTO=none
TYPE=Ethernet
IPADDR=192.168.6.222
PREFIX=24
DNS1=192.168.6.1
IPV4_FAILURE_FATAL=no
NOZEROCONF=yes

Emmett

Maybe Matching Threads

Search for more apparently analagous threads

CentOS - Oct 2015 - Firewalld

[CentOS] Firewalld

[CentOS] Firewalld

[CentOS] Firewalld

Maybe Matching Threads