After a recent large update, firewalld's status contains many lines of the form: WARNING: COMMAND_FAILED: '/usr/sbin/iptables... Checking iptables.service status shows it to be masked. I realize that firewalld uses iptables, but should it be enabled and started as a service? Jon -- Jon H. LaBadie jcu at labadie.us 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
On Dec 14, 2018, at 2:30 PM, Jon LaBadie <jcu at labadie.us> wrote:> > After a recent large update, firewalld's status contains > many lines of the form: > > WARNING: COMMAND_FAILED: '/usr/sbin/iptables?What?s the rest of the command?> Checking iptables.service status shows it to be masked.That?s probably from package iptables-services, which isn?t installed by default on purpose. It?s the legacy service from before firewalld was made the default. Use one or the other, not both. I strongly recommend that you use firewalld instead of the old iptables service. While firewalld is based on the kernel?s iptables facility, it gives many additional capabilities that you don?t get with raw iptables commands. The old service was little more than a macro system for raw iptables commands. Contrast firewalld, which: 1. Integrates with systemd. 2. Understands ?services? as opposed to just raw port numbers and such. This is especially valuable with complex services like NFS. With iptables?well, you forgot to allow rpc.portmap again, didn?t you? :) 3. Updates the firewall in real time, live. You can do this by hand with raw iptables commands, but the syntax for inserting new rules at the right place in the tables is awkward. Firewalld automates all of that for you. 4. Add --permanent to a new rule to save it securely to the rule set loaded on startup. Contrast iptables, where you?re often running across blog articles and such that talk about saving such rules separately to /etc/rc.local and such, or editing /etc/sysconfig/iptables directly. 5. If you prefer the ?update global config and reload? pattern of the old system-config-firewall scheme from CentOS 6, you can do that with firewalld, too: alias fcp="sudo firewall-cmd --permanent" fcp --add-service foo fcp --add-port somename/tcp ?more fcp commands here? sudo firewall-cmd --reload
On Dec 14, 2018, at 3:14 PM, Warren Young <warren at etr-usa.com> wrote:> > alias fcp="sudo firewall-cmd ?permanent"These commands are top-of-mind for me at the moment because I just configured a Raspberry Pi based network appliance at home, and installed firewalld on it for the purpose because I like it so much better than raw iptables commands. The default OS for the Raspberry Pi is derived from Debian, which has firewalld in its package repository but doesn?t use it by default. I found it well worth going out of my way to get firewalld on that Pi. Good stuff!
On Fri, Dec 14, 2018 at 03:14:12PM -0700, Warren Young wrote:> On Dec 14, 2018, at 2:30 PM, Jon LaBadie <jcu at labadie.us> wrote: > > > > After a recent large update, firewalld's status contains > > many lines of the form: > > > > WARNING: COMMAND_FAILED: '/usr/sbin/iptables? > > What?s the rest of the command?Well, there are about 20 of them and several screen widths long. However they all end with one of two reasons: : No chain/target/match by that name. : Bad rule (does a matching rule exist in that chain?).> > > Checking iptables.service status shows it to be masked. > > That?s probably from package iptables-services, which isn?t installed by default on purpose. It?s the legacy service from before firewalld was made the default. Use one or the other, not both. >After the update I got email from "ckservices" that firewalld was down. I saw the above mentioned iptable errors and checked the iptables.service to find it masked. I shutdown firewalld, unmasked, enabled, and started iptables.service and then firewalld. Same errors. So I shutdown iptables service, masked it, and restarted firewalld.> I strongly recommend that you use firewalld ... >Never planned to do otherwise. Just was uncertain if iptables.service had to run also. Thanks, Jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)