View Issue Details

IDProjectCategoryView StatusLast Update
0016951CentOS-8firewalldpublic2020-02-07 00:13
Reporterphlogistonjohn 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0016951: After update to centos 8.1 firewalld blocks everything
DescriptionAfter updating my system to 8.1.1911 when firewalld is running I can not access any of the ports I have enabled in firewalld.

Primarily, I want ssh to work but nothing I do in firewall-cmd itself seems to allow me to access the port(s). When I stop firewalld (systemctl stop firewalld) I am able to access SSH on my system.

Unfortunately, I am not familiar enough with firewalld/nft to debug this myself much so assistance would be appreciated.

Steps To Reproduce(remote system)$ ssh -v -ljohn 192.168.64.8
OpenSSH_8.1p1, OpenSSL 1.1.1d FIPS 10 Sep 2019
debug1: Reading configuration data /home/jmulliga/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/jmulliga/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 192.168.64.8 [192.168.64.8] port 22.
debug1: connect to address 192.168.64.8 port 22: No route to host
ssh: connect to host 192.168.64.8 port 22: No route to host


(system) sudo systemctl stop firewalld

(remote system)$ ssh -ljohn 192.168.64.8
Web console: https://karnak:9090/ or https://192.168.64.8:9090/

Last login: Sun Jan 19 10:33:38 2020 from 192.168.64.138
[john@karnak ~]$

Re-starting firewalld blocks the port again.


Additional Information
$sudo firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule priority="32767" reject

nfs (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 192.168.64.0/24
  services: nfs
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 7022/tcp 80/tcp 22/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    

TagsNo tags attached.

Activities

phlogistonjohn

phlogistonjohn

2020-01-19 15:46

reporter   ~0036053

output of 'nft list ruleset'

karnak-nft-list-ruleset.2020-01-19.txt (18,312 bytes)
table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
		iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
		oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 0 bytes 0 accept
		iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
		iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
		oifname "virbr0" counter packets 0 bytes 0 reject
		iifname "virbr0" counter packets 0 bytes 0 reject
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}
}
table bridge filter {
	chain INPUT {
		type filter hook input priority -200; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -200; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority -200; policy accept;
	}
}
table ip security {
	chain INPUT {
		type filter hook input priority 150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 150; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 150; policy accept;
	}
}
table ip raw {
	chain PREROUTING {
		type filter hook prerouting priority -300; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority -300; policy accept;
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority -150; policy accept;
	}

	chain INPUT {
		type filter hook input priority -150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -150; policy accept;
	}

	chain OUTPUT {
		type route hook output priority -150; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade 
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}
}
table ip6 security {
	chain INPUT {
		type filter hook input priority 150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 150; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 150; policy accept;
	}
}
table ip6 raw {
	chain PREROUTING {
		type filter hook prerouting priority -300; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority -300; policy accept;
	}
}
table ip6 mangle {
	chain PREROUTING {
		type filter hook prerouting priority -150; policy accept;
	}

	chain INPUT {
		type filter hook input priority -150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -150; policy accept;
	}

	chain OUTPUT {
		type route hook output priority -150; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
	}
}
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}
}
table bridge nat {
	chain PREROUTING {
		type filter hook prerouting priority -300; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 100; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority 300; policy accept;
	}
}
table inet firewalld {
	ct helper helper-tftp-udp {
		type "tftp" protocol udp

		l3proto inet
	}

	chain raw_PREROUTING {
		type filter hook prerouting priority -290; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . iif oif missing drop
		jump raw_PREROUTING_ZONES
	}

	chain raw_PREROUTING_ZONES {
		ip saddr 192.168.64.0/24 goto raw_PRE_nfs
		iifname "virbr0" goto raw_PRE_libvirt
		iifname "eno1" goto raw_PRE_public
		goto raw_PRE_public
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority -140; policy accept;
		jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_ZONES {
		ip saddr 192.168.64.0/24 goto mangle_PRE_nfs
		iifname "virbr0" goto mangle_PRE_libvirt
		iifname "eno1" goto mangle_PRE_public
		goto mangle_PRE_public
	}

	chain filter_INPUT {
		type filter hook input priority 10; policy accept;
		ct state established,related accept
		ct status dnat accept
		iifname "lo" accept
		jump filter_INPUT_ZONES
		ct state invalid drop
		reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority 10; policy accept;
		ct state established,related accept
		ct status dnat accept
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES
		ct state invalid drop
		reject with icmpx type admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority 10; policy accept;
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
	}

	chain filter_INPUT_ZONES {
		ip saddr 192.168.64.0/24 goto filter_IN_nfs
		iifname "virbr0" goto filter_IN_libvirt
		iifname "eno1" goto filter_IN_public
		goto filter_IN_public
	}

	chain filter_FORWARD_IN_ZONES {
		ip saddr 192.168.64.0/24 goto filter_FWDI_nfs
		iifname "virbr0" goto filter_FWDI_libvirt
		iifname "eno1" goto filter_FWDI_public
		goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES {
		ip daddr 192.168.64.0/24 goto filter_FWDO_nfs
		oifname "virbr0" goto filter_FWDO_libvirt
		oifname "eno1" goto filter_FWDO_public
		goto filter_FWDO_public
	}

	chain raw_PRE_nfs {
		jump raw_PRE_nfs_pre
		jump raw_PRE_nfs_log
		jump raw_PRE_nfs_deny
		jump raw_PRE_nfs_allow
		jump raw_PRE_nfs_post
	}

	chain raw_PRE_nfs_pre {
	}

	chain raw_PRE_nfs_log {
	}

	chain raw_PRE_nfs_deny {
	}

	chain raw_PRE_nfs_allow {
	}

	chain raw_PRE_nfs_post {
	}

	chain filter_IN_nfs {
		jump filter_IN_nfs_pre
		jump filter_IN_nfs_log
		jump filter_IN_nfs_deny
		jump filter_IN_nfs_allow
		jump filter_IN_nfs_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_nfs_pre {
	}

	chain filter_IN_nfs_log {
	}

	chain filter_IN_nfs_deny {
	}

	chain filter_IN_nfs_allow {
		tcp dport nfs ct state new,untracked accept
	}

	chain filter_IN_nfs_post {
	}

	chain mangle_PRE_nfs {
		jump mangle_PRE_nfs_pre
		jump mangle_PRE_nfs_log
		jump mangle_PRE_nfs_deny
		jump mangle_PRE_nfs_allow
		jump mangle_PRE_nfs_post
	}

	chain mangle_PRE_nfs_pre {
	}

	chain mangle_PRE_nfs_log {
	}

	chain mangle_PRE_nfs_deny {
	}

	chain mangle_PRE_nfs_allow {
	}

	chain mangle_PRE_nfs_post {
	}

	chain filter_FWDI_nfs {
		jump filter_FWDI_nfs_pre
		jump filter_FWDI_nfs_log
		jump filter_FWDI_nfs_deny
		jump filter_FWDI_nfs_allow
		jump filter_FWDI_nfs_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_nfs_pre {
	}

	chain filter_FWDI_nfs_log {
	}

	chain filter_FWDI_nfs_deny {
	}

	chain filter_FWDI_nfs_allow {
	}

	chain filter_FWDI_nfs_post {
	}

	chain filter_FWDO_nfs {
		jump filter_FWDO_nfs_pre
		jump filter_FWDO_nfs_log
		jump filter_FWDO_nfs_deny
		jump filter_FWDO_nfs_allow
		jump filter_FWDO_nfs_post
	}

	chain filter_FWDO_nfs_pre {
	}

	chain filter_FWDO_nfs_log {
	}

	chain filter_FWDO_nfs_deny {
	}

	chain filter_FWDO_nfs_allow {
	}

	chain filter_FWDO_nfs_post {
	}

	chain raw_PRE_public {
		jump raw_PRE_public_pre
		jump raw_PRE_public_log
		jump raw_PRE_public_deny
		jump raw_PRE_public_allow
		jump raw_PRE_public_post
	}

	chain raw_PRE_public_pre {
	}

	chain raw_PRE_public_log {
	}

	chain raw_PRE_public_deny {
	}

	chain raw_PRE_public_allow {
	}

	chain raw_PRE_public_post {
	}

	chain filter_IN_public {
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport ssh ct state new,untracked accept
		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
		tcp dport 9090 ct state new,untracked accept
		tcp dport 7022 ct state new,untracked accept
		tcp dport http ct state new,untracked accept
	}

	chain filter_IN_public_post {
	}

	chain filter_FWDI_public {
		jump filter_FWDI_public_pre
		jump filter_FWDI_public_log
		jump filter_FWDI_public_deny
		jump filter_FWDI_public_allow
		jump filter_FWDI_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_pre {
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain filter_FWDI_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_FWDO_public {
		jump filter_FWDO_public_pre
		jump filter_FWDO_public_log
		jump filter_FWDO_public_deny
		jump filter_FWDO_public_allow
		jump filter_FWDO_public_post
	}

	chain filter_FWDO_public_pre {
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}

	chain filter_FWDO_public_post {
	}

	chain raw_PRE_libvirt {
		jump raw_PRE_libvirt_pre
		jump raw_PRE_libvirt_log
		jump raw_PRE_libvirt_deny
		jump raw_PRE_libvirt_allow
		jump raw_PRE_libvirt_post
	}

	chain raw_PRE_libvirt_pre {
	}

	chain raw_PRE_libvirt_log {
	}

	chain raw_PRE_libvirt_deny {
	}

	chain raw_PRE_libvirt_allow {
	}

	chain raw_PRE_libvirt_post {
	}

	chain filter_IN_libvirt {
		jump filter_IN_libvirt_pre
		jump filter_IN_libvirt_log
		jump filter_IN_libvirt_deny
		jump filter_IN_libvirt_allow
		jump filter_IN_libvirt_post
		accept
	}

	chain filter_IN_libvirt_pre {
	}

	chain filter_IN_libvirt_log {
	}

	chain filter_IN_libvirt_deny {
	}

	chain filter_IN_libvirt_allow {
		udp dport bootps ct state new,untracked accept
		udp dport dhcpv6-server ct state new,untracked accept
		tcp dport domain ct state new,untracked accept
		udp dport domain ct state new,untracked accept
		tcp dport ssh ct state new,untracked accept
		udp dport tftp ct helper set "helper-tftp-udp"
		udp dport tftp ct state new,untracked accept
		meta l4proto icmp ct state new,untracked accept
		meta l4proto ipv6-icmp ct state new,untracked accept
	}

	chain filter_IN_libvirt_post {
		reject
	}

	chain mangle_PRE_libvirt {
		jump mangle_PRE_libvirt_pre
		jump mangle_PRE_libvirt_log
		jump mangle_PRE_libvirt_deny
		jump mangle_PRE_libvirt_allow
		jump mangle_PRE_libvirt_post
	}

	chain mangle_PRE_libvirt_pre {
	}

	chain mangle_PRE_libvirt_log {
	}

	chain mangle_PRE_libvirt_deny {
	}

	chain mangle_PRE_libvirt_allow {
	}

	chain mangle_PRE_libvirt_post {
	}

	chain filter_FWDI_libvirt {
		jump filter_FWDI_libvirt_pre
		jump filter_FWDI_libvirt_log
		jump filter_FWDI_libvirt_deny
		jump filter_FWDI_libvirt_allow
		jump filter_FWDI_libvirt_post
		accept
	}

	chain filter_FWDI_libvirt_pre {
	}

	chain filter_FWDI_libvirt_log {
	}

	chain filter_FWDI_libvirt_deny {
	}

	chain filter_FWDI_libvirt_allow {
	}

	chain filter_FWDI_libvirt_post {
	}

	chain filter_FWDO_libvirt {
		jump filter_FWDO_libvirt_pre
		jump filter_FWDO_libvirt_log
		jump filter_FWDO_libvirt_deny
		jump filter_FWDO_libvirt_allow
		jump filter_FWDO_libvirt_post
		accept
	}

	chain filter_FWDO_libvirt_pre {
	}

	chain filter_FWDO_libvirt_log {
	}

	chain filter_FWDO_libvirt_deny {
	}

	chain filter_FWDO_libvirt_allow {
	}

	chain filter_FWDO_libvirt_post {
	}
}
table ip firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority -90; policy accept;
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES {
		ip saddr 192.168.64.0/24 goto nat_PRE_nfs
		iifname "virbr0" goto nat_PRE_libvirt
		iifname "eno1" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority 110; policy accept;
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES {
		ip daddr 192.168.64.0/24 goto nat_POST_nfs
		oifname "virbr0" goto nat_POST_libvirt
		oifname "eno1" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_PRE_nfs {
		jump nat_PRE_nfs_pre
		jump nat_PRE_nfs_log
		jump nat_PRE_nfs_deny
		jump nat_PRE_nfs_allow
		jump nat_PRE_nfs_post
	}

	chain nat_PRE_nfs_pre {
	}

	chain nat_PRE_nfs_log {
	}

	chain nat_PRE_nfs_deny {
	}

	chain nat_PRE_nfs_allow {
	}

	chain nat_PRE_nfs_post {
	}

	chain nat_POST_nfs {
		jump nat_POST_nfs_pre
		jump nat_POST_nfs_log
		jump nat_POST_nfs_deny
		jump nat_POST_nfs_allow
		jump nat_POST_nfs_post
	}

	chain nat_POST_nfs_pre {
	}

	chain nat_POST_nfs_log {
	}

	chain nat_POST_nfs_deny {
	}

	chain nat_POST_nfs_allow {
	}

	chain nat_POST_nfs_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}
}
table ip6 firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority -90; policy accept;
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES {
		iifname "virbr0" goto nat_PRE_libvirt
		iifname "eno1" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority 110; policy accept;
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES {
		oifname "virbr0" goto nat_POST_libvirt
		oifname "eno1" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_PRE_nfs {
		jump nat_PRE_nfs_pre
		jump nat_PRE_nfs_log
		jump nat_PRE_nfs_deny
		jump nat_PRE_nfs_allow
		jump nat_PRE_nfs_post
	}

	chain nat_PRE_nfs_pre {
	}

	chain nat_PRE_nfs_log {
	}

	chain nat_PRE_nfs_deny {
	}

	chain nat_PRE_nfs_allow {
	}

	chain nat_PRE_nfs_post {
	}

	chain nat_POST_nfs {
		jump nat_POST_nfs_pre
		jump nat_POST_nfs_log
		jump nat_POST_nfs_deny
		jump nat_POST_nfs_allow
		jump nat_POST_nfs_post
	}

	chain nat_POST_nfs_pre {
	}

	chain nat_POST_nfs_log {
	}

	chain nat_POST_nfs_deny {
	}

	chain nat_POST_nfs_allow {
	}

	chain nat_POST_nfs_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}
}
jaxtell

jaxtell

2020-02-03 04:46

reporter   ~0036184

I seem to be experiencing the same issue, with the exception that my nfs port (2049) is still accessible.
sigprof

sigprof

2020-02-06 15:34

reporter   ~0036218

Most likely the problem is that your local machine has an IP address from the 192.168.64.0/24 range which is set for the "nfs" zone. Some old firewalld versions had undocumented behavior called "zone drifting" — when a source-based zone did not have a non-default target, and none of the rules in that zone matched the packet, then the rules of the interface-based zone were also applied to the packet. In firewalld-0.7.0 this loophole was closed, and now the source-based zone will completely override the interface-based zone for matching source addresses. Therefore if you want to make ssh accessible from the IP addresses added to the "nfs" zone, you need to allow the "ssh" service for that zone.

The corresponding Red Hat bug report is https://bugzilla.redhat.com/show_bug.cgi?id=1772208 — apparently the current behavior is actually correct, however, looks like some kind of fix is coming in firewalld-0.8.0-3.el8, presumably in the 8.2 release (maybe the AllowZoneDrifting option would be backported, so that old pre-0.7.0 configurations could be made to work).

Blog post from upstream firewalld developers: https://firewalld.org/2020/01/allowzonedrifting
phlogistonjohn

phlogistonjohn

2020-02-06 23:50

reporter   ~0036222

Extremely helpful! Thank you!
Since the version of firewalld in 8.1.1911 doesn't have the AllowZoneDrifting option I will just reset my firewalld configuration to stock and try to reconfigure from there. I do want nfs and ssh to work but I configured it a while ago and totally forgot about that nfs zone. I was probably following a blog article or something. :-)
jaxtell

jaxtell

2020-02-07 00:13

reporter   ~0036223

Worked for me too, thanks! I deleted my nfs zone which was configured with an ip range source and added nfs to my public zone. It all seems to be working fine now. Thanks for your help!

Issue History

Date Modified Username Field Change
2020-01-19 15:35 phlogistonjohn New Issue
2020-01-19 15:46 phlogistonjohn File Added: karnak-nft-list-ruleset.2020-01-19.txt
2020-01-19 15:46 phlogistonjohn Note Added: 0036053
2020-02-03 04:46 jaxtell Note Added: 0036184
2020-02-06 15:34 sigprof Note Added: 0036218
2020-02-06 23:50 phlogistonjohn Note Added: 0036222
2020-02-07 00:13 jaxtell Note Added: 0036223