On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote:
> I have two VMs, both with firewalld installed. One on machine It
> this in the IN_public chain:
>
> Chain IN_public (2 references)
> pkts bytes target prot opt
> in out source destination
> 81 3423 IN_public_log all
> -- * * 0.0.0.0/0 0.0.0.0/0
> 81 3423 IN_public_deny all
> -- * * 0.0.0.0/0 0.0.0.0/0
> 81 3423 IN_public_allow all
> -- * * 0.0.0.0/0 0.0.0.0/0
> 79 3335 REJECT all
> -- * * 0.0.0.0/0 0.0.0.0/0 reject-
> with icmp-host-prohibited
>
> On the other I see:
>
> Chain IN_public (2 references)
> pkts bytes target prot opt
> in out source destination
> 101 4232 IN_public_log all
> -- * * 0.0.0.0/0 0.0.0.0/0
> 101 4232 IN_public_deny all
> -- * * 0.0.0.0/0 0.0.0.0/0
> 101 4232 IN_public_allow all
> -- * * 0.0.0.0/0 0.0.0.0/0
> 1 84 ACCEPT icmp
> -- * * 0.0.0.0/0 0.0.0.0/0
>
> As might be expected, pinging the first VM fails. That is the ping
> is rejected with:
>
> [emmett@ws1 ~]$ ping 96.92.106.4
> PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
> From 96.92.106.4 icmp_seq=1 Destination Host Prohibited
> From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
>
> And pinging the second works as expected.
>
> I've searche the firewalld configuration files in /usr/lib/firewalld
> and /etc/firewalld and can find no reference to any icmp rule. The
> two machines were cloned originally from the same VM. Why are they
> different?
>
> How can I remove the reject-with icmp rule using firewalld. I can
> remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ]
> 4" and I can then ping that machine. But of course the rule is
> returned whenever firewalld is restarted.
>
> Emmett
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
What is the output off:
firewall-cmd --list-all
on the VMs?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
