Re: [CentOS] Firewalld and iptables
--On Friday, December 14, 2018 11:48 PM -0500 Jon LaBadie wrote: I don't play with iptables, so I assume it is a legacy continued from CentOS 6.x. I'll gladly remove the iptables service package. firewalld is a user-space layer on top of the kernel's iptables machinery. It provides for dynamic changes to the underlying iptables firewall. The old firewall configuration (iptables.service, previously implemented as an initscript in older CentOS versions) assumed a static firewall that was loaded once at boot time. Changes required flushing the entire set of rules and starting again, but that would disrupt running network applications. Firewalld is a higher level description that is able to and and remove rules on a running machine without disrupting applications. It still uses the iptables machinery under the hood. It's good for dynamic systems like mobile devices where interfaces come and go and the device changes networks frequently. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
--On Friday, December 14, 2018 11:48 PM -0500 Jon LaBadie wrote: https://pastebin.com/njaqR87f The rule names all look like standard builtins. Are the iptables modules loading into the kernel? Run lsmod and post that to pastebin. (I don't know what loads the firewall modules in CentOS 7.) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
On Fri, Dec 14, 2018 at 04:55:33PM -0800, Kenneth Porter wrote: > --On Friday, December 14, 2018 5:57 PM -0500 Jon LaBadie > wrote: > > > Well, there are about 20 of them and several screen widths > > long. However they all end with one of two reasons: > > > > : No chain/target/match by that name. > > : Bad rule (does a matching rule exist in that chain?). > > Put them on a pastebin so we can see them at full width. The chain names > should tell us what's responsible for them. > https://pastebin.com/njaqR87f > > Note that the iptables utilities and the iptables service are distinct. I > install the utilities so that I can inspect the kernel chains that filterd > creates. But I don't install the iptables service. I don't play with iptables, so I assume it is a legacy continued from CentOS 6.x. I'll gladly remove the iptables service package. Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
On 12/14/18 2:57 PM, Jon LaBadie wrote: Well, there are about 20 of them and several screen widths long. However they all end with one of two reasons: : No chain/target/match by that name. : Bad rule (does a matching rule exist in that chain?). If you don't include the errors, all we can do is guess. The name of the chain that doesn't exist is probably key to explaining the error. Docker is one possible reason for such errors: https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED-No-chain-target-match-by-that-name ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
--On Friday, December 14, 2018 5:57 PM -0500 Jon LaBadie wrote: Well, there are about 20 of them and several screen widths long. However they all end with one of two reasons: : No chain/target/match by that name. : Bad rule (does a matching rule exist in that chain?). Put them on a pastebin so we can see them at full width. The chain names should tell us what's responsible for them. After the update I got email from "ckservices" that firewalld was down. I saw the above mentioned iptable errors and checked the iptables.service to find it masked. I shutdown firewalld, unmasked, enabled, and started iptables.service and then firewalld. Same errors. So I shutdown iptables service, masked it, and restarted firewalld. Note that the iptables utilities and the iptables service are distinct. I install the utilities so that I can inspect the kernel chains that filterd creates. But I don't install the iptables service. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
On Dec 14, 2018, at 3:57 PM, Jon LaBadie wrote: > > : Bad rule (does a matching rule exist in that chain?). That makes sense: the old iptables service installed several default chains, and firewalld does as well, but they’re not named the same, and I doubt there’s a 1:1 mapping between them. That’s part of why I advised you to use one or the other, not both. Another reason is that their persistent rule stores use entirely different file formats, in different locations. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
On Fri, Dec 14, 2018 at 03:14:12PM -0700, Warren Young wrote: > On Dec 14, 2018, at 2:30 PM, Jon LaBadie wrote: > > > > After a recent large update, firewalld's status contains > > many lines of the form: > > > > WARNING: COMMAND_FAILED: '/usr/sbin/iptables… > > What’s the rest of the command? Well, there are about 20 of them and several screen widths long. However they all end with one of two reasons: : No chain/target/match by that name. : Bad rule (does a matching rule exist in that chain?). > > > Checking iptables.service status shows it to be masked. > > That’s probably from package iptables-services, which isn’t installed by > default on purpose. It’s the legacy service from before firewalld was made > the default. Use one or the other, not both. > After the update I got email from "ckservices" that firewalld was down. I saw the above mentioned iptable errors and checked the iptables.service to find it masked. I shutdown firewalld, unmasked, enabled, and started iptables.service and then firewalld. Same errors. So I shutdown iptables service, masked it, and restarted firewalld. > I strongly recommend that you use firewalld ... > Never planned to do otherwise. Just was uncertain if iptables.service had to run also. Thanks, Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
On Dec 14, 2018, at 3:14 PM, Warren Young wrote: > >alias fcp="sudo firewall-cmd —permanent" These commands are top-of-mind for me at the moment because I just configured a Raspberry Pi based network appliance at home, and installed firewalld on it for the purpose because I like it so much better than raw iptables commands. The default OS for the Raspberry Pi is derived from Debian, which has firewalld in its package repository but doesn’t use it by default. I found it well worth going out of my way to get firewalld on that Pi. Good stuff! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld and iptables
On Dec 14, 2018, at 2:30 PM, Jon LaBadie wrote: > > After a recent large update, firewalld's status contains > many lines of the form: > > WARNING: COMMAND_FAILED: '/usr/sbin/iptables… What’s the rest of the command? > Checking iptables.service status shows it to be masked. That’s probably from package iptables-services, which isn’t installed by default on purpose. It’s the legacy service from before firewalld was made the default. Use one or the other, not both. I strongly recommend that you use firewalld instead of the old iptables service. While firewalld is based on the kernel’s iptables facility, it gives many additional capabilities that you don’t get with raw iptables commands. The old service was little more than a macro system for raw iptables commands. Contrast firewalld, which: 1. Integrates with systemd. 2. Understands “services” as opposed to just raw port numbers and such. This is especially valuable with complex services like NFS. With iptables…well, you forgot to allow rpc.portmap again, didn’t you? :) 3. Updates the firewall in real time, live. You can do this by hand with raw iptables commands, but the syntax for inserting new rules at the right place in the tables is awkward. Firewalld automates all of that for you. 4. Add --permanent to a new rule to save it securely to the rule set loaded on startup. Contrast iptables, where you’re often running across blog articles and such that talk about saving such rules separately to /etc/rc.local and such, or editing /etc/sysconfig/iptables directly. 5. If you prefer the “update global config and reload” pattern of the old system-config-firewall scheme from CentOS 6, you can do that with firewalld, too: alias fcp="sudo firewall-cmd --permanent" fcp --add-service foo fcp --add-port somename/tcp …more fcp commands here… sudo firewall-cmd --reload ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Firewalld and iptables
After a recent large update, firewalld's status contains many lines of the form: WARNING: COMMAND_FAILED: '/usr/sbin/iptables... Checking iptables.service status shows it to be masked. I realize that firewalld uses iptables, but should it be enabled and started as a service? Jon -- Jon H. LaBadie j...@labadie.us 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
