Re: firewalld

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 12/19/2017 03:37 PM, Louis Lagendijk wrote:
> On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote:
>> I have two VMs, both with firewalld installed.  One on machine It
>> this in the IN_public chain:
>>
>> Chain IN_public (2 references)
>>   pkts bytes target     prot opt
>> in     out     source               destination
>>     81  3423 IN_public_log  all
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>     81  3423 IN_public_deny  all
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>     81  3423 IN_public_allow  all
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>     79  3335 REJECT     all
>> --  *      *       0.0.0.0/0            0.0.0.0/0            reject-
>> with icmp-host-prohibited
>>
>> On the other I see:
>>
>> Chain IN_public (2 references)
>>   pkts bytes target     prot opt
>> in     out     source               destination
>>    101  4232 IN_public_log  all
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>    101  4232 IN_public_deny  all
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>    101  4232 IN_public_allow  all
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>      1    84 ACCEPT     icmp
>> --  *      *       0.0.0.0/0            0.0.0.0/0
>>
>> As might be expected, pinging the first VM fails.  That is the ping
>> is rejected with:
>>
>> [emmett@ws1 ~]$ ping 96.92.106.4
>> PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
>>  From 96.92.106.4 icmp_seq=1 Destination Host Prohibited
>>  From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
>>
>> And pinging the second works as expected.
>>
>> I've searche the firewalld configuration files in /usr/lib/firewalld
>> and /etc/firewalld and can find no reference to any icmp rule.  The
>> two machines were cloned originally from the same VM.  Why are they
>> different?
>>
>> How can I remove the reject-with icmp rule using firewalld.  I can
>> remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ]
>> 4" and I can then ping that machine.  But of course the rule is
>> returned whenever firewalld is restarted.
>>
>> Emmett
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> https://lists.centos.org/mailman/listinfo/centos
>>
> What is the output off:
> firewall-cmd --list-all
> on the VMs?
> 
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
> 
That was the clue I needed.  On the first machine:

  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ftp_passiv http ssh https ftps
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

And the second:

  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ftp_passiv http ssh https ftps
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Changing the target to "default"  instead of "%%REJECT%%" by setting the zone policy to default in firewalld-config fixed it.  NOt sure whay that would be, but I am happy with the result.

Thanks!

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux