View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017234 | CentOS-8 | firewalld | public | 2020-04-09 21:54 | 2020-04-10 13:02 |
| Reporter | Tetmohawk | ||||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 8.1.1911 | ||||
| Target Version | Fixed in Version | ||||
| Summary | 0017234: Interface not in firewalld and when added, it creates a massive mismatch between firewalld and nftables | ||||
| Description | I have a static IP setup with NetworkManager. Here is the contents of ifcfg-enp3s0: TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME=enp3s0 UUID=d25f537a-e671-4d7c-9508-94fd1fca9967 DEVICE=enp3s0 ONBOOT=yes IPADDR=192.168.1.3 PREFIX=24 GATEWAY=192.168.1.1 IPV6_DISABLED=yes DNS1=1.1.1.1 DNS2=8.8.8.8 ZONE=public If I look at firewalld with firewall-cmd --list-all-zones there is no reference to enp3s0. Furthermore, when I look nft list ruleset there is no reference to it there either. And if I run firewall-cmd --get-zone-of-interface=enp3s0 the result is no zone. So the first question is why isn't it in there? It should be in public by default and I've specifically said to have it in the public zone in NetworkManager. Next, when I run firewall-cmd --zone=public --change-interface=enp3s0 I get the following: Error: COMMAND_FAILED: '/usr/sbin/nft add rule ip firewalld nat_POSTROUTING_ZONES index 11 oifname "enp3s0" goto nat_POST_public' failed: Error: Could not process rule: No such file or directory add rule ip firewalld nat_POSTROUTING_ZONES index 11 oifname "enp3s0" goto nat_POST_public Okay, now I add the interface /etc/firewalld/zones/public.xml: <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <interface name="enp3s0"/> <service name="dhcpv6-client"/> <port port="33198" protocol="tcp"/> </zone> Now I run firewall-cmd --reload and I get the error: Warning: ZONE_ALREADY_SET: 'enp3s0' already bound to 'public' Huh!? I didn't see it in firewall-cmd --list-all-zones, nft list ruleset, and firewall-cmd --get-zone-of-interface=enp3s0 said it had no zone. So now firewall-cmd --list-all-zones has it in the public zone. Now here's the big problem. When I run nft list ruleset NONE of my firewalld rules are there where before they were. Strange. The problem is that now in a reboot this mismatch between firewalld and nftables is still there. Since nftables is the backend, all my firewall rules are gone. So on a headless system I can't SSH into it because that firewall rule is gone. | ||||
| Tags | No tags attached. | ||||
