Hello Eric,

While we are investigating this issue. 

Meanwhile is there any way we can delete the  below rule and make it persistent after firewalld reload and reboot 
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

i know iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited   this will delete the rule but it is not persistent after firewall reload and reboot

since i am stuck on this will need to get this going . Maybe later on i can debug further to get a proper fix.

On Wed, Nov 18, 2020 at 7:19 PM Vishal K <bspteam00@gmail.com> wrote:
Hello Eric ,

PFA the output of command from both the nodes

On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver@redhat.com> wrote:
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
> Hello Eric/Team,
>
> Please check the below snip from the 2 nodes on which i am working to  make
> slp service work , but it is not getting discovered from other node.
> from same node it show the service
>
> i have added the slp service in firewall at both the node . Can someone
> help me in getting this issue fixed.
>
> [image: image.png]

This is indeed a nice screenshot. Unfortunately it does not contain any
of the information I asked for.

Please copy/paste the output of the following command:

    # firewall-cmd --list-all-zones

>
> On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver@redhat.com> wrote:
>
> > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
> > > Hello Eric,
> > >
> > > I Will check that details(other nodes requests are coming in on the
> > default
> > > zone) and update.
> > > Meanwhile i have another system where sles12 is runnin and there i see
> > > below rule by default
> > >
> > > In INPUT chain
> > > ACCEPT icmp -- anywhere anywhere ctstate RELATED
> >
> > I'm not sure where this rule is coming from. You can check the firewalld
> > configuration.
> >
> >     # firewall-cmd --list-all-zones
> >
> > >
> > >
> > > I wonder it's not there in sles15.
> > >
> > > Thanks
> > >
> > >
> > >
> > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver@redhat.com> wrote:
> > >
> > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > > > > Hello Eric,
> > > > >
> > > > > thanks for the response.  I did added this option in public/external
> > zone
> > > > >
> > > > > firewall-cmd --permanent --add-service slp
> > > > >     # firewall-cmd --reload
> > > > > Even though the slp services were not getting discovered by other
> > nodes.
> > > > > As soon as i delete this rule
> > > > >
> > > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > >
> > > > > All starts working fine.
> > > > >
> > > > > That's why i am confused/clueless what can be done to make it work.
> > > >
> > > > Are you sure the other nodes requests are coming in on the default
> > zone?
> > > > What does --get-active-zones show?
> > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver@redhat.com>
> > wrote:
> > > > >
> > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > > > > > > Below rule in iptables is causing the slptool to fail in
> > detecting
> > > > the
> > > > > > services of other hosts.
> > > > > > > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> > > > > > > I deleted it by using below command
> > > > > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > > > > and slp started to discover from other node  with firewall
> > enabled.
> > > > > > > however when i reload the firewalld or reboot it again went back
> > to
> > > > > > original rule (REJECT)
> > > > > > > how can i delete this rule permanently so that even after
> > reoading
> > > > > > firewalld daemon it does not go back to default.
> > > > > > > or is there anyother way
> > > > > >
> > > > > > You should _not_ delete this rule. Doing so will likely leave your
> > > > > > firewall open and your server unprotected. I repeat. DO NOT DELETE
> > THIS
> > > > > > RULE.
> > > > > >
> > > > > > Instead add the `slp` service:
> > > > > >
> > > > > >     # firewall-cmd --permanent --add-service slp
> > > > > >     # firewall-cmd --reload
> > > > > >
> > > > > > The above adds it to the default zone (likely "public"). To add it
> > to a
> > > > > > specific zone add the `--zone` argument.
> > > > > >
> > > > > >     # firewall-cmd --permanent --zone external --add-service slp
> > > > > >     # firewall-cmd --reload
> > > > > >
> > > > > >
> > > >
> > > > > _______________________________________________
> > > > > firewalld-users mailing list --
> > firewalld-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > > firewalld-users-leave@lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
> > > >
> > > >
> >
> > > _______________________________________________
> > > firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> > firewalld-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
> >
> >



> _______________________________________________
> firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org