View Issue Details

IDProjectCategoryView StatusLast Update
0017234CentOS-8firewalldpublic2020-04-10 13:02
ReporterTetmohawk 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017234: Interface not in firewalld and when added, it creates a massive mismatch between firewalld and nftables
DescriptionI have a static IP setup with NetworkManager. Here is the contents of ifcfg-enp3s0:

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME=enp3s0
UUID=d25f537a-e671-4d7c-9508-94fd1fca9967
DEVICE=enp3s0
ONBOOT=yes
IPADDR=192.168.1.3
PREFIX=24
GATEWAY=192.168.1.1
IPV6_DISABLED=yes
DNS1=1.1.1.1
DNS2=8.8.8.8
ZONE=public

If I look at firewalld with firewall-cmd --list-all-zones there is no reference to enp3s0. Furthermore, when I look nft list ruleset there is no reference to it there either. And if I run firewall-cmd --get-zone-of-interface=enp3s0 the result is no zone.

So the first question is why isn't it in there? It should be in public by default and I've specifically said to have it in the public zone in NetworkManager.

Next, when I run firewall-cmd --zone=public --change-interface=enp3s0 I get the following:

Error: COMMAND_FAILED: '/usr/sbin/nft add rule ip firewalld nat_POSTROUTING_ZONES index 11 oifname "enp3s0" goto nat_POST_public' failed: Error: Could not process rule: No such file or directory
add rule ip firewalld nat_POSTROUTING_ZONES index 11 oifname "enp3s0" goto nat_POST_public

Okay, now I add the interface /etc/firewalld/zones/public.xml:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <interface name="enp3s0"/>
  <service name="dhcpv6-client"/>
  <port port="33198" protocol="tcp"/>
</zone>

Now I run firewall-cmd --reload and I get the error:

Warning: ZONE_ALREADY_SET: 'enp3s0' already bound to 'public'

Huh!? I didn't see it in firewall-cmd --list-all-zones, nft list ruleset, and firewall-cmd --get-zone-of-interface=enp3s0 said it had no zone.

So now firewall-cmd --list-all-zones has it in the public zone. Now here's the big problem. When I run nft list ruleset NONE of my firewalld rules are there where before they were. Strange. The problem is that now in a reboot this mismatch between firewalld and nftables is still there. Since nftables is the backend, all my firewall rules are gone. So on a headless system I can't SSH into it because that firewall rule is gone.
TagsNo tags attached.

Activities

Tetmohawk

Tetmohawk

2020-04-09 21:58

reporter   ~0036671

ssh port 22 has been changed to 33198 for your reference.

Issue History

Date Modified Username Field Change
2020-04-09 21:54 Tetmohawk New Issue
2020-04-09 21:58 Tetmohawk Note Added: 0036671