Firewalld fails to reload rules on Centos7
firewall-cmd --permanent --remove-service=ssh firewall-cmd --permanent --add-port=2222/tcp firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --permanent --add-service=smtp
So far, so good, but when i try to reload the rules (firewall-cmd –reload), i just get a ERROR: COMMAND_FAILED and no rules added to iptables :/
Is anyone having this issue? I tried some google-fu but other errors where showing the failed command, mine is totally empty…
You might have a problem with the configuration files, take a look under /etc/firewalld/ and see if any of the xml files are corrupted or just wrong. If you want, you can delete them and start fresh, in case the problem is with some old command that you've run in the past.
[root@Zeno ~]# systemctl start firewalld [root@Zeno ~]# sudo systemctl status firewalld -l ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2017-03-25 23:03:33 CET; 4s ago Docs: man:firewalld(1) Process: 5273 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 5326 (firewalld) CGroup: /system.slice/firewalld.service └─5326 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Mar 25 23:03:33 Zeno systemd: Starting firewalld - dynamic firewall daemon... Mar 25 23:03:33 Zeno systemd: Started firewalld - dynamic firewall daemon. Mar 25 23:03:33 Zeno firewalld: ERROR: COMMAND_FAILED Mar 25 23:03:33 Zeno firewalld: WARNING: '/usr/sbin/iptables-restore -n' failed: Mar 25 23:03:33 Zeno firewalld: WARNING: '/usr/sbin/ip6tables-restore -n' failed: Mar 25 23:03:33 Zeno firewalld: ERROR: COMMAND_FAILED
[root@Zeno ~]# firewall-cmd --state not running
I have no idea where to start looking for a solution.
Didn't mess with any .xml file. Only used firewall-cmd.
Removed zone.xml files
Also, take a look at /var/log/messages, maybe you'll get more errors there, which could help identify the problem.
You could also reinstall the firewall rpm, for example:
yum reinstall firewalld-filesystem-0.4.3.2-8.1.el7_3.2.noarch firewalld-0.4.3.2-8.1.el7_3.2.noarch
(don't copy/paste the above, first make sure the version numbers are the same in your system)
Rebooted and firewall preventing any external connections.
Using lish I found the problem was with the firewalld config.
firewall-cmd –get-active-zones returns nothing
firewall-cmd --list-interfaces returns nothing
firewall-cmd --permanent --zone=public --change-interface=eth0 looks like it succeeds and tells me that it's already in that zone if I re-run it but --get-active-zones still returns nothing
--list-zones shows all the zones and the public zone is still there with the correct services in it as before the update, but it's just not associated with that interface.
A few bits from /var/log/messages -
firewalld: WARNING: '/usr/sbin/iptables-restore -n' failed:
firewalld: WARNING: '/usr/sbin/ip6tables-restore -n' failed:
firewalld: ERROR: COMMAND_FAILED
kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
There's some kind of borkage to do with the interface scripts, network manager and firewalld.
Does anyone have any suggestions? Ive done a yum remove and install of firewalld to no effect.
the above errors look like they are coming from the underlying iptables and not firewalld.
maybe your kernel has not been compiled with the required modules to support the full features needed by iptables? my suggestion at this point, is to switch to the real CentOS kernel, which we know is fully featured and see if that fixes your problem.
First backing up /etc/firewalld/direct.xml and then remove /etc/firewalld/direct.xml. After which firewall-cmd --reload didn't gave any issue. Hope this helps.