On Tue, Jun 16, 2020 at 06:40:51AM +0800, Ed Greshko wrote:
This had been working until about June 5. But I was getting ready
for major surgery and didn't pursue then.
I have 3 systems. 2 HW, 1VM. The 2 HW systems are connected via Wifi. Below the VM
is on the right.
192.168.122.152<---- > 192.168.122.1/192.168.2.127<---->192.168.2.116
With firewalld running on 192.168.2.127 I get the following on 192.168.2.116
[egreshko@acer ~]$ ssh 192.168.122.152
ssh: connect to host 192.168.122.152 port 22: Connection refused
[egreshko@acer ~]$ traceroute 192.168.122.152
traceroute to 192.168.122.152 (192.168.122.152), 30 hops max, 60 byte packets
 1 192.168.2.127 (192.168.2.127) 2.256 ms 2.834 ms 2.892 ms
 2 192.168.2.127 (192.168.2.127) 3.284 ms 3.854 ms 4.398 ms
If I stop the firewall I get..
[egreshko@acer ~]$ ssh 192.168.122.152
Last login: Tue Jun 16 06:21:07 2020 from 2001:b030:112f:2::2
[egreshko@f31k ~]$ exit
logout
Connection to 192.168.122.152 closed.
[egreshko@acer ~]$ traceroute 192.168.122.152
traceroute to 192.168.122.152 (192.168.122.152), 30 hops max, 60 byte packets
 1 192.168.2.127 (192.168.2.127) 3.594 ms 3.771 ms 4.345 ms
 2 192.168.122.152 (192.168.122.152) 4.653 ms !X 5.260 ms !X 5.532 ms !X
I can connect from 192.168.122.1 to 192.168.122.152 no matter if firewalld is running or
not.
[root@meimei ~]# firewall-cmd --get-active-zones
libvirt
 interfaces: virbr0
public
 interfaces: enp2s0 wlp4s0
What to check? This was working in early June and I doubt I made
changes.
If you've recently updated firewalld check for AllowZoneDrifting in
/etc/firewalld/firewalld.conf.
Based on the bits of info you gave above you may have been unknowingly
making use of undesired behavior.
See this blog post for further information:
https://firewalld.org/2020/01/allowzonedrifting
Hope that helps.
Eric.