Hello all,
I installed a server using Kickstart and setup firewalld with the following flags:
firewall --enabled --ssh --http
However after rebooting the machine for the first time I see there are errors when the firewalld comes up:
Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security' Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): ip6tables-restore: unable to initialize table 'secur>
Somehow it seems than the 'public' zone got mangled:
[root@X log]# firewall-cmd --get-active-zones # Returns nothing
[root@X log]# firewall-cmd --zone=public --list-all Error: INVALID_ZONE: public
Not sure what is going on here but I can set rules with firewall-cmd by hand:
firewall-cmd --set-default-zone=public firewall-cmd --get-default-zone # Returns 'public' firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --zone=public --add-service=ssh --permanent firewall-cmd --zone=public --permanent --add-port=7990/tcp firewall-cmd --zone=public --permanent --add-port=7999/tcp firewall-cmd --zone=public --permanent --add-port=8080/tcp
But the following commands return nothing:
firewall-cmd --get-active-zones firewall-cmd --list-ports --zone=public firewall-cmd --zone=public --list-services
Any ideas what else I can look for?
Thanks.
_________________________________________________________________________________________________________________________________________________________________________________________________________________________________
This message is for information purposes only, it is not a recommendation, advice, offer or solicitation to buy or sell a product or service nor an official confirmation of any transaction. It is directed at persons who are professionals and is not intended for retail customer use. Intended for recipient only. This message is subject to the terms at: www.barclays.com/emaildisclaimer.
For important disclosures, please see: www.barclays.com/salesandtradingdisclaimer regarding market commentary from Barclays Sales and/or Trading, who are active market participants; and in respect of Barclays Research, including disclosures relating to specific issuers, please see http://publicresearch.barclays.com.
______________________________________________________________________________________________________________________________________________________________________ If you are incorporated or operating in Australia, please see https://www.home.barclays/disclosures/importantapacdisclosures.html for important disclosure. ______________________________________________________________________________________________________________________________________________________________________ ______________________________________________________________________________________________________________________________________________________________________ How we use personal information see our privacy notice https://www.investmentbank.barclays.com/disclosures/personalinformationuse.h... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________
On Mon, Sep 16, 2019 at 05:17:14PM +0000, jose.nunez-zuleta@barclays.com wrote:
Hello all,
I installed a server using Kickstart and setup firewalld with the following flags:
firewall --enabled --ssh --http
However after rebooting the machine for the first time I see there are errors when the firewalld comes up:
Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security' Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): ip6tables-restore: unable to initialize table 'secur>
Somehow it seems than the 'public' zone got mangled:
[root@X log]# firewall-cmd --get-active-zones # Returns nothing
[root@X log]# firewall-cmd --zone=public --list-all Error: INVALID_ZONE: public
Not sure what is going on here but I can set rules with firewall-cmd by hand:
firewall-cmd --set-default-zone=public firewall-cmd --get-default-zone # Returns 'public' firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --zone=public --add-service=ssh --permanent firewall-cmd --zone=public --permanent --add-port=7990/tcp firewall-cmd --zone=public --permanent --add-port=7999/tcp firewall-cmd --zone=public --permanent --add-port=8080/tcp
But the following commands return nothing:
firewall-cmd --get-active-zones firewall-cmd --list-ports --zone=public firewall-cmd --zone=public --list-services
Any ideas what else I can look for?
It looks like you're missing some of the kernel modules (error about security table). Are you using a stock kernel? Is this stock Fedora?
Hello Eric,
I'm using a custom kernel. Do you know what modules should be available? I see the following with lsmod:
[root@X ~]# lsmod|egrep iptable iptable_nat 16384 0 nf_nat_ipv4 16384 1 iptable_nat iptable_mangle 16384 0 iptable_raw 16384 0
I checked 'https://www.linuxtopia.org/Linux_Firewall_iptables/x651.html' and at least for IP tables the following were required for the Kernel:
CONFIG_PACKET CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE
But I cannot figure out where is the '.config' file that tells what options were used to compile this kernel.
Thanks,
-----Original Message----- From: Eric Garver egarver@redhat.com Sent: Monday, September 16, 2019 14:41 To: Firewalld users discussion list firewalld-users@lists.fedorahosted.org Subject: Re: Problems with firewalld and Kickstart, Fedora 29
This mail originated from outside our organisation - egarver@redhat.com
On Mon, Sep 16, 2019 at 05:17:14PM +0000, jose.nunez-zuleta@barclays.com wrote:
Hello all,
I installed a server using Kickstart and setup firewalld with the following flags:
firewall --enabled --ssh --http
However after rebooting the machine for the first time I see there are errors when the firewalld comes up:
Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 11 failed Sep 11 16:51:32 X firewalld[36540]: ERROR: INVALID_ZONE Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security' Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Sep 11 16:58:18 X firewalld[36540]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): ip6tables-restore: unable to initialize table 'secur>
Somehow it seems than the 'public' zone got mangled:
[root@X log]# firewall-cmd --get-active-zones # Returns nothing
[root@X log]# firewall-cmd --zone=public --list-all Error: INVALID_ZONE: public
Not sure what is going on here but I can set rules with firewall-cmd by hand:
firewall-cmd --set-default-zone=public firewall-cmd --get-default-zone # Returns 'public' firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --zone=public --add-service=ssh --permanent firewall-cmd --zone=public --permanent --add-port=7990/tcp firewall-cmd --zone=public --permanent --add-port=7999/tcp firewall-cmd --zone=public --permanent --add-port=8080/tcp
But the following commands return nothing:
firewall-cmd --get-active-zones firewall-cmd --list-ports --zone=public firewall-cmd --zone=public --list-services
Any ideas what else I can look for?
It looks like you're missing some of the kernel modules (error about security table). Are you using a stock kernel? Is this stock Fedora? _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/315ms1uHmpXjrosq1364H2b6H2?u=https%3A%2F%2Fdo... List Guidelines: https://clicktime.symantec.com/3JSCjeRMFfkegxk921hgLnb6H2?u=https%3A%2F%2Ffe... List Archives: https://clicktime.symantec.com/3PNEfBNLbFeoNdR71G9PSx76H2?u=https%3A%2F%2Fli...
_________________________________________________________________________________________________________________________________________________________________________________________________________________________________
This message is for information purposes only, it is not a recommendation, advice, offer or solicitation to buy or sell a product or service nor an official confirmation of any transaction. It is directed at persons who are professionals and is not intended for retail customer use. Intended for recipient only. This message is subject to the terms at: www.barclays.com/emaildisclaimer.
For important disclosures, please see: www.barclays.com/salesandtradingdisclaimer regarding market commentary from Barclays Sales and/or Trading, who are active market participants; and in respect of Barclays Research, including disclosures relating to specific issuers, please see http://publicresearch.barclays.com.
______________________________________________________________________________________________________________________________________________________________________ If you are incorporated or operating in Australia, please see https://www.home.barclays/disclosures/importantapacdisclosures.html for important disclosure. ______________________________________________________________________________________________________________________________________________________________________ ______________________________________________________________________________________________________________________________________________________________________ How we use personal information see our privacy notice https://www.investmentbank.barclays.com/disclosures/personalinformationuse.h... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Looks like the kernel was configured properly, either the options are set to =y or they are modules:
[root@nyxlabavt-4 ~]# egrep 'CONFIG_IP_NF_|CONFIG_PACKET|CONFIG_NETFILTER' /lib/modules/4.19.17-1300.strike.fc29.x86_64/config CONFIG_PACKET=y CONFIG_PACKET_DIAG=m CONFIG_NETFILTER=y CONFIG_NETFILTER_ADVANCED=y CONFIG_NETFILTER_INGRESS=y CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_FAMILY_BRIDGE=y CONFIG_NETFILTER_FAMILY_ARP=y CONFIG_NETFILTER_NETLINK_ACCT=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_NETLINK_OSF=m CONFIG_NETFILTER_CONNCOUNT=m # CONFIG_NETFILTER_NETLINK_GLUE_CT is not set CONFIG_NETFILTER_SYNPROXY=m CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_MARK=m CONFIG_NETFILTER_XT_CONNMARK=m CONFIG_NETFILTER_XT_SET=m CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m CONFIG_NETFILTER_XT_TARGET_CT=m CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_HL=m CONFIG_NETFILTER_XT_TARGET_HMARK=m CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m CONFIG_NETFILTER_XT_TARGET_LED=m CONFIG_NETFILTER_XT_TARGET_LOG=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_NAT=m CONFIG_NETFILTER_XT_TARGET_NETMAP=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_RATEEST=m CONFIG_NETFILTER_XT_TARGET_REDIRECT=m CONFIG_NETFILTER_XT_TARGET_TEE=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m CONFIG_NETFILTER_XT_MATCH_BPF=m CONFIG_NETFILTER_XT_MATCH_CGROUP=m CONFIG_NETFILTER_XT_MATCH_CLUSTER=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_CPU=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m CONFIG_NETFILTER_XT_MATCH_DSCP=m CONFIG_NETFILTER_XT_MATCH_ECN=m CONFIG_NETFILTER_XT_MATCH_ESP=m CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_HL=m CONFIG_NETFILTER_XT_MATCH_IPCOMP=m CONFIG_NETFILTER_XT_MATCH_IPRANGE=m CONFIG_NETFILTER_XT_MATCH_IPVS=m CONFIG_NETFILTER_XT_MATCH_L2TP=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_NFACCT=m CONFIG_NETFILTER_XT_MATCH_OSF=m CONFIG_NETFILTER_XT_MATCH_OWNER=m CONFIG_NETFILTER_XT_MATCH_POLICY=m CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_QUOTA=m CONFIG_NETFILTER_XT_MATCH_RATEEST=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_RECENT=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_SOCKET=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STATISTIC=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_TIME=m CONFIG_NETFILTER_XT_MATCH_U32=m CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_RPFILTER=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_SYNPROXY=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m
On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta@barclays.com wrote:
Hello Eric,
I'm using a custom kernel. Do you know what modules should be available? I see the following with lsmod:
You'll want all the iptables modules. From the errors you gave below at least the one for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY.
There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld.
[root@X ~]# lsmod|egrep iptable iptable_nat 16384 0 nf_nat_ipv4 16384 1 iptable_nat iptable_mangle 16384 0 iptable_raw 16384 0
I checked 'https://www.linuxtopia.org/Linux_Firewall_iptables/x651.html' and at least for IP tables the following were required for the Kernel:
CONFIG_PACKET CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE
But I cannot figure out where is the '.config' file that tells what options were used to compile this kernel.
Sometimes it's available via /proc/config. Otherwise it may be in /boot/config-*.
On Tue, Sep 17, 2019 at 08:38:20AM -0400, Eric Garver wrote:
On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta@barclays.com wrote:
Hello Eric,
I'm using a custom kernel. Do you know what modules should be available? I see the following with lsmod:
You'll want all the iptables modules. From the errors you gave below at least the one for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY.
There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld.
To expand on this, see the bellow commit:
https://github.com/firewalld/firewalld/commit/c46b0892e1e4a540c959b4c1f6ea87...
commit c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8 Author: Eric Garver eric@garver.life Date: Wed Apr 17 15:57:22 2019 -0400
fix: ipXtables: don't use tables that aren't available
At least for the default ruleset we can avoid failure if some of these tables are missing. But features that use those missing tables will still fail if the user attempts to use those features.
Here is a probably incomplete mapping of tables -> features:
raw: helpers, IPv6_rpfilter mangle: rich rule mark action nat: masquerade, forward ports security: none
Of course, direct rules apply to all tables. It is fatal if the "filter" table is not available.
Fixes: #411 Fixes: #484
Hello Eric,
You are right about the missing modules, my kernel was not compiled with support for them:
[root@X ~]# egrep CONFIG_IP6_NF_SECURITY /lib/modules/$(uname -r)/config [root@X ~]# egrep CONFIG_IP_NF_SECURITY /lib/modules/$(uname -r)/config
I tried on a machine with and older kernel running Enterprise server:
egrep CONFIG_IP6_NF_SECURITY /boot/config-2.6.32-754.3.5.el6.x86_64 CONFIG_IP6_NF_SECURITY=m
So decided to check your bug-fix commit (https://github.com/firewalld/firewalld/commit/c46b0892e1e4a540c959b4c1f6ea87...) and tried on my non-production server:
(Kids please do not try this at home :-)):
[root@X ~]# cp -pv /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py.orig [root@X ~]# curl --verbose --insecure --proxy 'XXX--proxy-user 'XXX' --output /usr/lib/python3.7/site-packages/firewall/core/ipXtables.py https://raw.githubusercontent.com/firewalld/firewalld/c46b0892e1e4a540c959b4...
And then restarted firewalld and checked the rules:
systemctl restart firewalld
[root@X ~]# systemctl status -l firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2019-09-17 09:53:34 EDT; 6min ago Docs: man:firewalld(1) Main PID: 12128 (firewalld) Tasks: 2 (limit: 9830) Memory: 35.2M CGroup: /system.slice/firewalld.service └─12128 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Sep 17 09:53:33 X systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 17 09:53:34 X systemd[1]: Started firewalld - dynamic firewall daemon.
No errors this time!
Also polling settings with firewall-cmd works now:
[root@X ~]# firewall-cmd --get-active-zones public interfaces: eno1 ens1f0 ens6f1np1 [root@X ~]# firewall-cmd --list-ports --zone=public 7990/tcp 7999/tcp 8080/tcp [root@X ~]# firewall-cmd --zone=public --list-services dhcpv6-client http https mdns ssh
I think this is fixed on https://download.fedoraproject.org/pub/fedora/linux/updates/30/Everything/SR... as the build time for the RPM has a later date than your commit.
Thanks a lot for the help, problem fixed!
--Jose
-----Original Message----- From: Eric Garver egarver@redhat.com Sent: Tuesday, September 17, 2019 8:38 To: Firewalld users discussion list firewalld-users@lists.fedorahosted.org Subject: Re: Problems with firewalld and Kickstart, Fedora 29
This mail originated from outside our organisation - egarver@redhat.com
On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta@barclays.com wrote:
Hello Eric,
I'm using a custom kernel. Do you know what modules should be available? I see the following with lsmod:
You'll want all the iptables modules. From the errors you gave below at least the one for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY.
There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld.
[root@X ~]# lsmod|egrep iptable iptable_nat 16384 0 nf_nat_ipv4 16384 1 iptable_nat iptable_mangle 16384 0 iptable_raw 16384 0
I checked 'https://clicktime.symantec.com/37BnJWXJE5UJHZQHwN75qxW6H2?u=https%3A%2F%2Fww...' and at least for IP tables the following were required for the Kernel:
CONFIG_PACKET CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE
But I cannot figure out where is the '.config' file that tells what options were used to compile this kernel.
Sometimes it's available via /proc/config. Otherwise it may be in /boot/config-*. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/3NWg59qpSHPfoMvPABseJYv6H2?u=https%3A%2F%2Fdo... List Guidelines: https://clicktime.symantec.com/3MbAwip2iU5MfwUeV9VSTXr6H2?u=https%3A%2F%2Ffe... List Archives: https://clicktime.symantec.com/38QVLKzjhgU4cGMpS9MsQwM6H2?u=https%3A%2F%2Fli...
_________________________________________________________________________________________________________________________________________________________________________________________________________________________________
This message is for information purposes only, it is not a recommendation, advice, offer or solicitation to buy or sell a product or service nor an official confirmation of any transaction. It is directed at persons who are professionals and is not intended for retail customer use. Intended for recipient only. This message is subject to the terms at: www.barclays.com/emaildisclaimer.
For important disclosures, please see: www.barclays.com/salesandtradingdisclaimer regarding market commentary from Barclays Sales and/or Trading, who are active market participants; and in respect of Barclays Research, including disclosures relating to specific issuers, please see http://publicresearch.barclays.com.
______________________________________________________________________________________________________________________________________________________________________ If you are incorporated or operating in Australia, please see https://www.home.barclays/disclosures/importantapacdisclosures.html for important disclosure. ______________________________________________________________________________________________________________________________________________________________________ ______________________________________________________________________________________________________________________________________________________________________ How we use personal information see our privacy notice https://www.investmentbank.barclays.com/disclosures/personalinformationuse.h... _________________________________________________________________________________________________________________________________________________________________________________________________________________________________
--On Monday, September 16, 2019 6:17 PM +0000 jose.nunez-zuleta(a)barclays.com wrote:
Look at the XML files under /etc/firewalld. Those describe the permanent state that's reloaded at boot time.
Hello Kennet,
That wasn't the issue on this case but thanks for the suggestion. I fixed my issue by following Eric suggestion.
firewalld-users@lists.fedorahosted.org