Hello Eric, I'm using a custom kernel. Do you know what modules should be available? I see the following with lsmod: [root@X ~]# lsmod|egrep iptable iptable_nat 16384 0 nf_nat_ipv4 16384 1 iptable_nat iptable_mangle 16384 0 iptable_raw 16384 0 I checked 'https://www.linuxtopia.org/Linux_Firewall_iptables/x651.html' and at least for IP tables the following were required for the Kernel: CONFIG_PACKET CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE But I cannot figure out where is the '.config' file that tells what options were used to compile this kernel. Thanks, -----Original Message----- From: Eric Garver <egarver(a)redhat.com&gt; Sent: Monday, September 16, 2019 14:41 To: Firewalld users discussion list <firewalld-users(a)lists.fedorahosted.org&gt; Subject: Re: Problems with firewalld and Kickstart, Fedora 29 This mail originated from outside our organisation - egarver(a)redhat.com On Mon, Sep 16, 2019 at 05:17:14PM +0000, jose.nunez-zuleta(a)barclays.com wrote: It looks like you're missing some of the kernel modules (error about security table). Are you using a stock kernel? Is this stock Fedora? _______________________________________________ firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/315ms1uHmpXjrosq1364H2b6H2?u=https%3A%2F%2... List Guidelines: https://clicktime.symantec.com/3JSCjeRMFfkegxk921hgLnb6H2?u=https%3A%2F%2... List Archives: https://clicktime.symantec.com/3PNEfBNLbFeoNdR71G9PSx76H2?u=https%3A%2F%2... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________ This message is for information purposes only, it is not a recommendation, advice, offer or solicitation to buy or sell a product or service nor an official confirmation of any transaction. It is directed at persons who are professionals and is not intended for retail customer use. Intended for recipient only. This message is subject to the terms at: www.barclays.com/emaildisclaimer. For important disclosures, please see: www.barclays.com/salesandtradingdisclaimer regarding market commentary from Barclays Sales and/or Trading, who are active market participants; and in respect of Barclays Research, including disclosures relating to specific issuers, please see http://publicresearch.barclays.com. ______________________________________________________________________________________________________________________________________________________________________ If you are incorporated or operating in Australia, please see https://www.home.barclays/disclosures/importantapacdisclosures.html for important disclosure. ______________________________________________________________________________________________________________________________________________________________________ ______________________________________________________________________________________________________________________________________________________________________ How we use personal information see our privacy notice https://www.investmentbank.barclays.com/disclosures/personalinformationus... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________

On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta(a)barclays.com wrote: You'll want all the iptables modules. From the errors you gave below at least the one for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY. There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld. Sometimes it's available via /proc/config. Otherwise it may be in /boot/config-*.

Hello Eric, You are right about the missing modules, my kernel was not compiled with support for them: [root@X ~]# egrep CONFIG_IP6_NF_SECURITY /lib/modules/$(uname -r)/config [root@X ~]# egrep CONFIG_IP_NF_SECURITY /lib/modules/$(uname -r)/config I tried on a machine with and older kernel running Enterprise server: egrep CONFIG_IP6_NF_SECURITY /boot/config-2.6.32-754.3.5.el6.x86_64 CONFIG_IP6_NF_SECURITY=m So decided to check your bug-fix commit (https://github.com/firewalld/firewalld/commit/c46b0892e1e4a540c959b4c1f6e...) and tried on my non-production server: (Kids please do not try this at home :-)): [root@X ~]# cp -pv /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py.orig [root@X ~]# curl --verbose --insecure --proxy 'XXX--proxy-user 'XXX' --output /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py https://raw.githubusercontent.com/firewalld/firewalld/c46b0892e1e4a540c95... And then restarted firewalld and checked the rules: systemctl restart firewalld [root@X ~]# systemctl status -l firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2019-09-17 09:53:34 EDT; 6min ago Docs: man:firewalld(1) Main PID: 12128 (firewalld) Tasks: 2 (limit: 9830) Memory: 35.2M CGroup: /system.slice/firewalld.service └─12128 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid Sep 17 09:53:33 X systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 17 09:53:34 X systemd[1]: Started firewalld - dynamic firewall daemon. No errors this time! Also polling settings with firewall-cmd works now: [root@X ~]# firewall-cmd --get-active-zones public interfaces: eno1 ens1f0 ens6f1np1 [root@X ~]# firewall-cmd --list-ports --zone=public 7990/tcp 7999/tcp 8080/tcp [root@X ~]# firewall-cmd --zone=public --list-services dhcpv6-client http https mdns ssh I think this is fixed on https://download.fedoraproject.org/pub/fedora/linux/updates/30/Everything... as the build time for the RPM has a later date than your commit. Thanks a lot for the help, problem fixed! --Jose -----Original Message----- From: Eric Garver <egarver(a)redhat.com&gt; Sent: Tuesday, September 17, 2019 8:38 To: Firewalld users discussion list <firewalld-users(a)lists.fedorahosted.org&gt; Subject: Re: Problems with firewalld and Kickstart, Fedora 29 This mail originated from outside our organisation - egarver(a)redhat.com On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta(a)barclays.com wrote: You'll want all the iptables modules. From the errors you gave below at least the one for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY. There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld. Sometimes it's available via /proc/config. Otherwise it may be in /boot/config-*. _______________________________________________ firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/3NWg59qpSHPfoMvPABseJYv6H2?u=https%3A%2F%2... List Guidelines: https://clicktime.symantec.com/3MbAwip2iU5MfwUeV9VSTXr6H2?u=https%3A%2F%2... List Archives: https://clicktime.symantec.com/38QVLKzjhgU4cGMpS9MsQwM6H2?u=https%3A%2F%2... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________ This message is for information purposes only, it is not a recommendation, advice, offer or solicitation to buy or sell a product or service nor an official confirmation of any transaction. It is directed at persons who are professionals and is not intended for retail customer use. Intended for recipient only. This message is subject to the terms at: www.barclays.com/emaildisclaimer. For important disclosures, please see: www.barclays.com/salesandtradingdisclaimer regarding market commentary from Barclays Sales and/or Trading, who are active market participants; and in respect of Barclays Research, including disclosures relating to specific issuers, please see http://publicresearch.barclays.com. ______________________________________________________________________________________________________________________________________________________________________ If you are incorporated or operating in Australia, please see https://www.home.barclays/disclosures/importantapacdisclosures.html for important disclosure. ______________________________________________________________________________________________________________________________________________________________________ ______________________________________________________________________________________________________________________________________________________________________ How we use personal information see our privacy notice https://www.investmentbank.barclays.com/disclosures/personalinformationus... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Hello Kennet, That wasn't the issue on this case but thanks for the suggestion. I fixed my issue by following Eric suggestion.