> -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Pete Biggs > Sent: Saturday, January 28, 2017 6:02 AM > To: centos at centos.org > Subject: Re: [CentOS] firewalld > > > > > > The zone apparently means something because an interface can only be on > one. > > Moving it to a different zone results in the same error (same > > services/ports opened in each zone). > > The "zones" are just labels and are used to create kernel iptables. > Each zone has a default set of open and closed ports ranging from "trusted" > which accepts all packets to "public" which has everything closed. You can > modify the allowed ports and services on each zone at will. > > Some of the zones have "special" features - "block" rejects all packets, > "drop" drops all packets, "external" has masquerading turned on and so on. > > If you have a single network, then that interface will, by default, be put in the > "public" zone, so most ports will be closed. That's fine, just leave it in that > zone, it's just a label/container. > > You can list the services open in the default zone by doing > > firewall-cmd --list-services > > or for ports not services > > firewall-cmd --list-ports > > or for a different zone > > firewall-cmd --zone=public --list-services > > You can also find out which zones your interface(s) is in with > > firewall-cmd --get-active-zones > > One of the gotchas with firewalld is that the changes are made in either the > current running iptables *or* the stored rules, not both. So if you make a > change to the running rule set, those changes won't be kept the next time > you restart firewalld. You can either use the ' > --permanent' flag to set the stored rules (but it won't affect the active rules) > or the '--runtime-to-permanent' flag to copy the current active rules to the > stored ones. > > The bottom line is that firewalld is just another application that manipulates > the kernel packet routing tables. Use something else if you prefer it - some > of the system tools assume firewalld, but if you are aware of what's > happening it shouldn't be an issue. > > > > > I may as well disable firewalld and let my router handle the firewall. > > > If you are happy that there is nothing behind your firewall that could cause a > problem then that's an acceptable route. > > P.Thanks, That's a better explanation of things than I have read so far. Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing really any reboots. I did a few --reloads so that may have gotten me. I have zoneminder, dns, and urbackup working. I can ssh and scp in from work but mail is being a pain. Thanks
firewalld isn't the only thing that will prevent services from accessing the internet. I found that I needed to do a relabel before postfix could access DNS and I have seen other issues as well. Have you tried disabling the firewall to see if you can get connections to work? Then try to disable SElinux and see if that works. # netstat --inet -l -n Is the service listening on port 143? # systemctl stop firewalld Does it now work? # setenforce 0 Does it now work? Once you establish what's biting you then you can fix it. To force a relabel do # touch /.autorelabel # reboot Mike On 01/28/2017 07:11 AM, TE Dukes wrote:> >> -----Original Message----- >> From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Pete Biggs >> Sent: Saturday, January 28, 2017 6:02 AM >> To: centos at centos.org >> Subject: Re: [CentOS] firewalld >> >> >>> The zone apparently means something because an interface can only be on >> one. >>> Moving it to a different zone results in the same error (same >>> services/ports opened in each zone). >> The "zones" are just labels and are used to create kernel iptables. >> Each zone has a default set of open and closed ports ranging from "trusted" >> which accepts all packets to "public" which has everything closed. You can >> modify the allowed ports and services on each zone at will. >> >> Some of the zones have "special" features - "block" rejects all packets, >> "drop" drops all packets, "external" has masquerading turned on and so on. >> >> If you have a single network, then that interface will, by default, be put in the >> "public" zone, so most ports will be closed. That's fine, just leave it in that >> zone, it's just a label/container. >> >> You can list the services open in the default zone by doing >> >> firewall-cmd --list-services >> >> or for ports not services >> >> firewall-cmd --list-ports >> >> or for a different zone >> >> firewall-cmd --zone=public --list-services >> >> You can also find out which zones your interface(s) is in with >> >> firewall-cmd --get-active-zones >> >> One of the gotchas with firewalld is that the changes are made in either the >> current running iptables *or* the stored rules, not both. So if you make a >> change to the running rule set, those changes won't be kept the next time >> you restart firewalld. You can either use the ' >> --permanent' flag to set the stored rules (but it won't affect the active rules) >> or the '--runtime-to-permanent' flag to copy the current active rules to the >> stored ones. >> >> The bottom line is that firewalld is just another application that manipulates >> the kernel packet routing tables. Use something else if you prefer it - some >> of the system tools assume firewalld, but if you are aware of what's >> happening it shouldn't be an issue. >> >>> I may as well disable firewalld and let my router handle the firewall. >>> >> If you are happy that there is nothing behind your firewall that could cause a >> problem then that's an acceptable route. >> >> P. > Thanks, > > That's a better explanation of things than I have read so far. > > Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing really any reboots. > > I did a few --reloads so that may have gotten me. > > I have zoneminder, dns, and urbackup working. I can ssh and scp in from work but mail is being a pain. > > Thanks > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Mike McCarthy, W1NR Sent: Saturday, January 28, 2017 8:45 AM To: CentOS mailing list Subject: Re: [CentOS] firewalld firewalld isn't the only thing that will prevent services from accessing the internet. I found that I needed to do a relabel before postfix could access DNS and I have seen other issues as well. Have you tried disabling the firewall to see if you can get connections to work? Then try to disable SElinux and see if that works. # netstat --inet -l -n Is the service listening on port 143? # systemctl stop firewalld Does it now work? # setenforce 0 Does it now work? Once you establish what's biting you then you can fix it. To force a relabel do # touch /.autorelabel # reboot Mike I have dovecot answering now. I can read mail using Mutt. I think I have problems with mysql/mariadb using roundcube. It may be I need to open ports for mariadb as well. Thanks
On 28 January 2017 at 13:44, Mike McCarthy, W1NR <sysop at w1nr.net> wrote:> firewalld isn't the only thing that will prevent services from accessing > the internet. I found that I needed to do a relabel before postfix could > access DNS and I have seen other issues as well. Have you tried > disabling the firewall to see if you can get connections to work? Then > try to disable SElinux and see if that works. > > # netstat --inet -l -n > > Is the service listening on port 143? >Just a side note here, since EL7 removed net-tools from the default install (after all it has been deprecated for about a decade now) you probably should get used to providing advice using the iproute2 suite instead. In this case `ss -tlnp` to list all tcp ports in a listening state, showing the pid using the port and not resolving the ports to friendly names. For an example of why this is important think about using pacemaker or keepalived to manage IPs migrating between systems. They won't be visible using ifconfig but only via ip as they aren't exposed in the kernel structures that ifconfig uses - https://www.hogarthuk.com/?q=node/6 Another example is when you have multiple interfaces and you have source policy routing (or similar advanced routing behaviour) that makes use of rules and multiple routing tables. The older route command is only capable of displaying the default main table, not the rest of the tables in use, but `ip route show table all` will give you all the routing tables in use on your system (even in a default install it's a lot more than the route command shows) and ip rule gives you the rules in use, if any. On a similar note bridge-utils is also deprecated, though brctl is ingrained into many minds! https://fedoramagazine.org/build-network-bridge-fedora/