Hello Eric,
While we are investigating this issue.
*Meanwhile is there any way we can delete the below rule and make it
persistent after firewalld reload and reboot *
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
No. This rule is vital to firewalld's functionality. Deleting it makes
firewalld accept all packets in many cases.
i know iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
this will delete the rule but it is not persistent after firewall reload
and reboot
since i am stuck on this will need to get this going . Maybe later on i can
debug further to get a proper fix.
On Wed, Nov 18, 2020 at 7:19 PM Vishal K <bspteam00(a)gmail.com> wrote:
> Hello Eric ,
>
> PFA the output of command from both the nodes
>
> On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver(a)redhat.com> wrote:
>
>> On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
>> > Hello Eric/Team,
>> >
>> > Please check the below snip from the 2 nodes on which i am working to
>> make
>> > slp service work , but it is not getting discovered from other node.
>> > from same node it show the service
>> >
>> > i have added the slp service in firewall at both the node . Can someone
>> > help me in getting this issue fixed.
>> >
>> > [image: image.png]
>>
>> This is indeed a nice screenshot. Unfortunately it does not contain any
>> of the information I asked for.
>>
>> Please copy/paste the output of the following command:
>>
>> # firewall-cmd --list-all-zones
>>
>> >
>> > On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com>
wrote:
>> >
>> > > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
>> > > > Hello Eric,
>> > > >
>> > > > I Will check that details(other nodes requests are coming in on
the
>> > > default
>> > > > zone) and update.
>> > > > Meanwhile i have another system where sles12 is runnin and there
i
>> see
>> > > > below rule by default
>> > > >
>> > > > In INPUT chain
>> > > > ACCEPT icmp -- anywhere anywhere ctstate RELATED
>> > >
>> > > I'm not sure where this rule is coming from. You can check the
>> firewalld
>> > > configuration.
>> > >
>> > > # firewall-cmd --list-all-zones
>> > >
>> > > >
>> > > >
>> > > > I wonder it's not there in sles15.
>> > > >
>> > > > Thanks
>> > > >
>> > > >
>> > > >
>> > > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver
<egarver(a)redhat.com>
>> wrote:
>> > > >
>> > > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
>> > > > > > Hello Eric,
>> > > > > >
>> > > > > > thanks for the response. I did added this option in
>> public/external
>> > > zone
>> > > > > >
>> > > > > > firewall-cmd --permanent --add-service slp
>> > > > > > # firewall-cmd --reload
>> > > > > > Even though the slp services were not getting
discovered by
>> other
>> > > nodes.
>> > > > > > As soon as i delete this rule
>> > > > > >
>> > > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
>> > > > > >
>> > > > > > All starts working fine.
>> > > > > >
>> > > > > > That's why i am confused/clueless what can be done
to make it
>> work.
>> > > > >
>> > > > > Are you sure the other nodes requests are coming in on the
default
>> > > zone?
>> > > > > What does --get-active-zones show?
>> > > > >
>> > > > > > Thanks
>> > > > > >
>> > > > > >
>> > > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver
<egarver(a)redhat.com>
>> > > wrote:
>> > > > > >
>> > > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team
wrote:
>> > > > > > > > Below rule in iptables is causing the slptool
to fail in
>> > > detecting
>> > > > > the
>> > > > > > > services of other hosts.
>> > > > > > > > REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>> > > > > > > > I deleted it by using below command
>> > > > > > > > iptables -D INPUT -j REJECT --reject-with
>> icmp-host-prohibited
>> > > > > > > > and slp started to discover from other node
with firewall
>> > > enabled.
>> > > > > > > > however when i reload the firewalld or reboot
it again went
>> back
>> > > to
>> > > > > > > original rule (REJECT)
>> > > > > > > > how can i delete this rule permanently so
that even after
>> > > reoading
>> > > > > > > firewalld daemon it does not go back to default.
>> > > > > > > > or is there anyother way
>> > > > > > >
>> > > > > > > You should _not_ delete this rule. Doing so will
likely leave
>> your
>> > > > > > > firewall open and your server unprotected. I
repeat. DO NOT
>> DELETE
>> > > THIS
>> > > > > > > RULE.
>> > > > > > >
>> > > > > > > Instead add the `slp` service:
>> > > > > > >
>> > > > > > > # firewall-cmd --permanent --add-service slp
>> > > > > > > # firewall-cmd --reload
>> > > > > > >
>> > > > > > > The above adds it to the default zone (likely
"public"). To
>> add it
>> > > to a
>> > > > > > > specific zone add the `--zone` argument.
>> > > > > > >
>> > > > > > > # firewall-cmd --permanent --zone external
--add-service
>> slp
>> > > > > > > # firewall-cmd --reload
>> > > > > > >
>> > > > > > >
>> > > > >
>> > > > > > _______________________________________________
>> > > > > > firewalld-users mailing list --
>> > > firewalld-users(a)lists.fedorahosted.org
>> > > > > > To unsubscribe send an email to
>> > > > > firewalld-users-leave(a)lists.fedorahosted.org
>> > > > > > Fedora Code of Conduct:
>> > > > >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > > > List Guidelines:
>> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > > > List Archives:
>> > > > >
>> > >
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> > > > >
>> > > > >
>> > >
>> > > > _______________________________________________
>> > > > firewalld-users mailing list --
>> firewalld-users(a)lists.fedorahosted.org
>> > > > To unsubscribe send an email to
>> > > firewalld-users-leave(a)lists.fedorahosted.org
>> > > > Fedora Code of Conduct:
>> > >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > List Archives:
>> > >
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> > >
>> > >
>>
>>
>>
>> > _______________________________________________
>> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> > To unsubscribe send an email to
>> firewalld-users-leave(a)lists.fedorahosted.org
>> > Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>>
>>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...