Re: SLES15 Default Iptable rule causing issue

Hello Eric, While we are investigating this issue. *Meanwhile is there any way we can delete the below rule and make it persistent after firewalld reload and reboot * REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

i know iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited this will delete the rule but it is not persistent after firewall reload and reboot since i am stuck on this will need to get this going . Maybe later on i can debug further to get a proper fix. On Wed, Nov 18, 2020 at 7:19 PM Vishal K <bspteam00(a)gmail.com&gt; wrote: > Hello Eric , > > PFA the output of command from both the nodes > > On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver(a)redhat.com&gt; wrote: > >> On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote: >> > Hello Eric/Team, >> > >> > Please check the below snip from the 2 nodes on which i am working to >> make >> > slp service work , but it is not getting discovered from other node. >> > from same node it show the service >> > >> > i have added the slp service in firewall at both the node . Can someone >> > help me in getting this issue fixed. >> > >> > [image: image.png] >> >> This is indeed a nice screenshot. Unfortunately it does not contain any >> of the information I asked for. >> >> Please copy/paste the output of the following command: >> >> # firewall-cmd --list-all-zones >> >> > >> > On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com&gt; wrote: >> > >> > > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote: >> > > > Hello Eric, >> > > > >> > > > I Will check that details(other nodes requests are coming in on the >> > > default >> > > > zone) and update. >> > > > Meanwhile i have another system where sles12 is runnin and there i >> see >> > > > below rule by default >> > > > >> > > > In INPUT chain >> > > > ACCEPT icmp -- anywhere anywhere ctstate RELATED >> > > >> > > I'm not sure where this rule is coming from. You can check the >> firewalld >> > > configuration. >> > > >> > > # firewall-cmd --list-all-zones >> > > >> > > > >> > > > >> > > > I wonder it's not there in sles15. >> > > > >> > > > Thanks >> > > > >> > > > >> > > > >> > > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com&gt; >> wrote: >> > > > >> > > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote: >> > > > > > Hello Eric, >> > > > > > >> > > > > > thanks for the response. I did added this option in >> public/external >> > > zone >> > > > > > >> > > > > > firewall-cmd --permanent --add-service slp >> > > > > > # firewall-cmd --reload >> > > > > > Even though the slp services were not getting discovered by >> other >> > > nodes. >> > > > > > As soon as i delete this rule >> > > > > > >> > > > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited >> > > > > > >> > > > > > All starts working fine. >> > > > > > >> > > > > > That's why i am confused/clueless what can be done to make it >> work. >> > > > > >> > > > > Are you sure the other nodes requests are coming in on the default >> > > zone? >> > > > > What does --get-active-zones show? >> > > > > >> > > > > > Thanks >> > > > > > >> > > > > > >> > > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver(a)redhat.com&gt; >> > > wrote: >> > > > > > >> > > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote: >> > > > > > > > Below rule in iptables is causing the slptool to fail in >> > > detecting >> > > > > the >> > > > > > > services of other hosts. >> > > > > > > > REJECT all -- anywhere anywhere reject-with >> icmp-host-prohibited >> > > > > > > > I deleted it by using below command >> > > > > > > > iptables -D INPUT -j REJECT --reject-with >> icmp-host-prohibited >> > > > > > > > and slp started to discover from other node with firewall >> > > enabled. >> > > > > > > > however when i reload the firewalld or reboot it again went >> back >> > > to >> > > > > > > original rule (REJECT) >> > > > > > > > how can i delete this rule permanently so that even after >> > > reoading >> > > > > > > firewalld daemon it does not go back to default. >> > > > > > > > or is there anyother way >> > > > > > > >> > > > > > > You should _not_ delete this rule. Doing so will likely leave >> your >> > > > > > > firewall open and your server unprotected. I repeat. DO NOT >> DELETE >> > > THIS >> > > > > > > RULE. >> > > > > > > >> > > > > > > Instead add the `slp` service: >> > > > > > > >> > > > > > > # firewall-cmd --permanent --add-service slp >> > > > > > > # firewall-cmd --reload >> > > > > > > >> > > > > > > The above adds it to the default zone (likely "public"). To >> add it >> > > to a >> > > > > > > specific zone add the `--zone` argument. >> > > > > > > >> > > > > > > # firewall-cmd --permanent --zone external --add-service >> slp >> > > > > > > # firewall-cmd --reload >> > > > > > > >> > > > > > > >> > > > > >> > > > > > _______________________________________________ >> > > > > > firewalld-users mailing list -- >> > > firewalld-users(a)lists.fedorahosted.org >> > > > > > To unsubscribe send an email to >> > > > > firewalld-users-leave(a)lists.fedorahosted.org >> > > > > > Fedora Code of Conduct: >> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > > > > > List Guidelines: >> > > https://fedoraproject.org/wiki/Mailing_list_guidelines >> > > > > > List Archives: >> > > > > >> > > >> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora... >> > > > > >> > > > > >> > > >> > > > _______________________________________________ >> > > > firewalld-users mailing list -- >> firewalld-users(a)lists.fedorahosted.org >> > > > To unsubscribe send an email to >> > > firewalld-users-leave(a)lists.fedorahosted.org >> > > > Fedora Code of Conduct: >> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > > > List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> > > > List Archives: >> > > >> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora... >> > > >> > > >> >> >> >> > _______________________________________________ >> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org >> > To unsubscribe send an email to >> firewalld-users-leave(a)lists.fedorahosted.org >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora... >> >>

_______________________________________________ firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...