Hello Eric,
You are right about the missing modules, my kernel was not compiled with support for
them:
[root@X ~]# egrep CONFIG_IP6_NF_SECURITY /lib/modules/$(uname -r)/config
[root@X ~]# egrep CONFIG_IP_NF_SECURITY /lib/modules/$(uname -r)/config
I tried on a machine with and older kernel running Enterprise server:
egrep CONFIG_IP6_NF_SECURITY /boot/config-2.6.32-754.3.5.el6.x86_64
CONFIG_IP6_NF_SECURITY=m
So decided to check your bug-fix commit
(
https://github.com/firewalld/firewalld/commit/c46b0892e1e4a540c959b4c1f6e...)
and tried on my non-production server:
(Kids please do not try this at home :-)):
[root@X ~]# cp -pv /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py
/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py.orig
[root@X ~]# curl --verbose --insecure --proxy 'XXX--proxy-user 'XXX' --output
/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py
https://raw.githubusercontent.com/firewalld/firewalld/c46b0892e1e4a540c95...
And then restarted firewalld and checked the rules:
systemctl restart firewalld
[root@X ~]# systemctl status -l firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset:
enabled)
Active: active (running) since Tue 2019-09-17 09:53:34 EDT; 6min ago
Docs: man:firewalld(1)
Main PID: 12128 (firewalld)
Tasks: 2 (limit: 9830)
Memory: 35.2M
CGroup: /system.slice/firewalld.service
└─12128 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Sep 17 09:53:33 X systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 17 09:53:34 X systemd[1]: Started firewalld - dynamic firewall daemon.
No errors this time!
Also polling settings with firewall-cmd works now:
[root@X ~]# firewall-cmd --get-active-zones
public
interfaces: eno1 ens1f0 ens6f1np1
[root@X ~]# firewall-cmd --list-ports --zone=public
7990/tcp 7999/tcp 8080/tcp
[root@X ~]# firewall-cmd --zone=public --list-services
dhcpv6-client http https mdns ssh
I think this is fixed on
https://download.fedoraproject.org/pub/fedora/linux/updates/30/Everything...
as the build time for the RPM has a later date than your commit.
Thanks a lot for the help, problem fixed!
--Jose
-----Original Message-----
From: Eric Garver <egarver(a)redhat.com>
Sent: Tuesday, September 17, 2019 8:38
To: Firewalld users discussion list <firewalld-users(a)lists.fedorahosted.org>
Subject: Re: Problems with firewalld and Kickstart, Fedora 29
This mail originated from outside our organisation - egarver(a)redhat.com
On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta(a)barclays.com wrote:
Hello Eric,
I'm using a custom kernel. Do you know what modules should be available? I see the
following with lsmod:
You'll want all the iptables modules. From the errors you gave below at least the one
for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget
about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY.
There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't
available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld.
[root@X ~]# lsmod|egrep iptable
iptable_nat 16384 0
nf_nat_ipv4 16384 1 iptable_nat
iptable_mangle 16384 0
iptable_raw 16384 0
I checked
'https://clicktime.symantec.com/37BnJWXJE5UJHZQHwN75qxW6H2?u=https%3A%2F%2Fwww.linuxtopia.org%2FLinux_Firewall_iptables%2Fx651.html'
and at least for IP tables the following were required for the Kernel:
CONFIG_PACKET
CONFIG_NETFILTER
CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_FTP
CONFIG_IP_NF_IRC
CONFIG_IP_NF_IPTABLES
CONFIG_IP_NF_FILTER
CONFIG_IP_NF_NAT
CONFIG_IP_NF_MATCH_STATE
CONFIG_IP_NF_TARGET_LOG
CONFIG_IP_NF_MATCH_LIMIT
CONFIG_IP_NF_TARGET_MASQUERADE
But I cannot figure out where is the '.config' file that tells what options were
used to compile this kernel.
Sometimes it's available via /proc/config. Otherwise it may be in /boot/config-*.
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://clicktime.symantec.com/3NWg59qpSHPfoMvPABseJYv6H2?u=https%3A%2F%2...
List Guidelines:
https://clicktime.symantec.com/3MbAwip2iU5MfwUeV9VSTXr6H2?u=https%3A%2F%2...
List Archives:
https://clicktime.symantec.com/38QVLKzjhgU4cGMpS9MsQwM6H2?u=https%3A%2F%2...
_________________________________________________________________________________________________________________________________________________________________________________________________________________________________
This message is for information purposes only, it is not a recommendation, advice, offer
or solicitation to buy or sell a product or service nor an official confirmation of any
transaction. It is directed at persons who are professionals and is not intended for
retail customer use. Intended for recipient only. This message is subject to the terms at:
www.barclays.com/emaildisclaimer.
For important disclosures, please see:
www.barclays.com/salesandtradingdisclaimer
regarding market commentary from Barclays Sales and/or Trading, who are active market
participants; and in respect of Barclays Research, including disclosures relating to
specific issuers, please see
http://publicresearch.barclays.com.
______________________________________________________________________________________________________________________________________________________________________
If you are incorporated or operating in Australia, please see
https://www.home.barclays/disclosures/importantapacdisclosures.html for important
disclosure.
______________________________________________________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________________________________________________
How we use personal information see our privacy notice
https://www.investmentbank.barclays.com/disclosures/personalinformationus...
_________________________________________________________________________________________________________________________________________________________________________________________________________________________________