12:19 p.m.
Below rule in iptables is causing the slptool to fail in detecting the services of other
hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I deleted it by using below command
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
and slp started to discover from other node with firewall enabled.
however when i reload the firewalld or reboot it again went back to original rule
(REJECT)
how can i delete this rule permanently so that even after reoading firewalld daemon it
does not go back to default.
or is there anyother way
1:02 p.m.
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in detecting
the services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I deleted it by using below command
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
and slp started to discover from other node with firewall enabled.
however when i reload the firewalld or reboot it again went back to original rule
(REJECT)
how can i delete this rule permanently so that even after reoading firewalld daemon it
does not go back to default.
or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your
firewall open and your server unprotected. I repeat. DO NOT DELETE THIS
RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp
# firewall-cmd --reload
The above adds it to the default zone (likely "public"). To add it to a
specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp
# firewall-cmd --reload
1:11 p.m.
Hello Eric,
thanks for the response. I did added this option in public/external zone
firewall-cmd --permanent --add-service slp
# firewall-cmd --reload
Even though the slp services were not getting discovered by other nodes.
As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver(a)redhat.com> wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> Below rule in iptables is causing the slptool to fail in detecting the
services of other hosts.
> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> I deleted it by using below command
> iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> and slp started to discover from other node with firewall enabled.
> however when i reload the firewalld or reboot it again went back to
original rule (REJECT)
> how can i delete this rule permanently so that even after reoading
firewalld daemon it does not go back to default.
> or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your
firewall open and your server unprotected. I repeat. DO NOT DELETE THIS
RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp
# firewall-cmd --reload
The above adds it to the default zone (likely "public"). To add it to a
specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp
# firewall-cmd --reload
1:17 p.m.
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in public/external zone
firewall-cmd --permanent --add-service slp
# firewall-cmd --reload
Even though the slp services were not getting discovered by other nodes.
As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default zone?
What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver(a)redhat.com> wrote:
> On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > Below rule in iptables is causing the slptool to fail in detecting the
> services of other hosts.
> > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> > I deleted it by using below command
> > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > and slp started to discover from other node with firewall enabled.
> > however when i reload the firewalld or reboot it again went back to
> original rule (REJECT)
> > how can i delete this rule permanently so that even after reoading
> firewalld daemon it does not go back to default.
> > or is there anyother way
>
> You should _not_ delete this rule. Doing so will likely leave your
> firewall open and your server unprotected. I repeat. DO NOT DELETE THIS
> RULE.
>
> Instead add the `slp` service:
>
> # firewall-cmd --permanent --add-service slp
> # firewall-cmd --reload
>
> The above adds it to the default zone (likely "public"). To add it to a
> specific zone add the `--zone` argument.
>
> # firewall-cmd --permanent --zone external --add-service slp
> # firewall-cmd --reload
>
>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
1:36 p.m.
Hello Eric,
I Will check that details(other nodes requests are coming in on the default
zone) and update.
Meanwhile i have another system where sles12 is runnin and there i see
below rule by default
In INPUT chain
ACCEPT icmp -- anywhere anywhere ctstate RELATED
I wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com> wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> Hello Eric,
>
> thanks for the response. I did added this option in public/external zone
>
> firewall-cmd --permanent --add-service slp
> # firewall-cmd --reload
> Even though the slp services were not getting discovered by other nodes.
> As soon as i delete this rule
>
> iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
>
> All starts working fine.
>
> That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default zone?
What does --get-active-zones show?
> Thanks
>
>
> On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver(a)redhat.com> wrote:
>
> > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > > Below rule in iptables is causing the slptool to fail in detecting
the
> > services of other hosts.
> > > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> > > I deleted it by using below command
> > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > and slp started to discover from other node with firewall enabled.
> > > however when i reload the firewalld or reboot it again went back to
> > original rule (REJECT)
> > > how can i delete this rule permanently so that even after reoading
> > firewalld daemon it does not go back to default.
> > > or is there anyother way
> >
> > You should _not_ delete this rule. Doing so will likely leave your
> > firewall open and your server unprotected. I repeat. DO NOT DELETE THIS
> > RULE.
> >
> > Instead add the `slp` service:
> >
> > # firewall-cmd --permanent --add-service slp
> > # firewall-cmd --reload
> >
> > The above adds it to the default zone (likely "public"). To add it to
a
> > specific zone add the `--zone` argument.
> >
> > # firewall-cmd --permanent --zone external --add-service slp
> > # firewall-cmd --reload
> >
> >
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
3:28 p.m.
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the default
zone) and update.
Meanwhile i have another system where sles12 is runnin and there i see
below rule by default
In INPUT chain
ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the firewalld
configuration.
# firewall-cmd --list-all-zones
I wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com> wrote:
> On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > Hello Eric,
> >
> > thanks for the response. I did added this option in public/external zone
> >
> > firewall-cmd --permanent --add-service slp
> > # firewall-cmd --reload
> > Even though the slp services were not getting discovered by other nodes.
> > As soon as i delete this rule
> >
> > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> >
> > All starts working fine.
> >
> > That's why i am confused/clueless what can be done to make it work.
>
> Are you sure the other nodes requests are coming in on the default zone?
> What does --get-active-zones show?
>
> > Thanks
> >
> >
> > On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver(a)redhat.com> wrote:
> >
> > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > > > Below rule in iptables is causing the slptool to fail in detecting
> the
> > > services of other hosts.
> > > > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> > > > I deleted it by using below command
> > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > and slp started to discover from other node with firewall enabled.
> > > > however when i reload the firewalld or reboot it again went back to
> > > original rule (REJECT)
> > > > how can i delete this rule permanently so that even after reoading
> > > firewalld daemon it does not go back to default.
> > > > or is there anyother way
> > >
> > > You should _not_ delete this rule. Doing so will likely leave your
> > > firewall open and your server unprotected. I repeat. DO NOT DELETE THIS
> > > RULE.
> > >
> > > Instead add the `slp` service:
> > >
> > > # firewall-cmd --permanent --add-service slp
> > > # firewall-cmd --reload
> > >
> > > The above adds it to the default zone (likely "public"). To add
it to a
> > > specific zone add the `--zone` argument.
> > >
> > > # firewall-cmd --permanent --zone external --add-service slp
> > > # firewall-cmd --reload
> > >
> > >
>
> > _______________________________________________
> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> firewalld-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>
>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
6:21 a.m.
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to make
slp service work , but it is not getting discovered from other node.
from same node it show the service
i have added the slp service in firewall at both the node . Can someone
help me in getting this issue fixed.
[image: image.png]
On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com> wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
> Hello Eric,
>
> I Will check that details(other nodes requests are coming in on the
default
> zone) and update.
> Meanwhile i have another system where sles12 is runnin and there i see
> below rule by default
>
> In INPUT chain
> ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the firewalld
configuration.
# firewall-cmd --list-all-zones
>
>
> I wonder it's not there in sles15.
>
> Thanks
>
>
>
> On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com> wrote:
>
> > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > > Hello Eric,
> > >
> > > thanks for the response. I did added this option in public/external
zone
> > >
> > > firewall-cmd --permanent --add-service slp
> > > # firewall-cmd --reload
> > > Even though the slp services were not getting discovered by other
nodes.
> > > As soon as i delete this rule
> > >
> > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > >
> > > All starts working fine.
> > >
> > > That's why i am confused/clueless what can be done to make it work.
> >
> > Are you sure the other nodes requests are coming in on the default
zone?
> > What does --get-active-zones show?
> >
> > > Thanks
> > >
> > >
> > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver <egarver(a)redhat.com>
wrote:
> > >
> > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > > > > Below rule in iptables is causing the slptool to fail in
detecting
> > the
> > > > services of other hosts.
> > > > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > > > > I deleted it by using below command
> > > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > > and slp started to discover from other node with firewall
enabled.
> > > > > however when i reload the firewalld or reboot it again went
back
to
> > > > original rule (REJECT)
> > > > > how can i delete this rule permanently so that even after
reoading
> > > > firewalld daemon it does not go back to default.
> > > > > or is there anyother way
> > > >
> > > > You should _not_ delete this rule. Doing so will likely leave your
> > > > firewall open and your server unprotected. I repeat. DO NOT DELETE
THIS
> > > > RULE.
> > > >
> > > > Instead add the `slp` service:
> > > >
> > > > # firewall-cmd --permanent --add-service slp
> > > > # firewall-cmd --reload
> > > >
> > > > The above adds it to the default zone (likely "public"). To
add it
to a
> > > > specific zone add the `--zone` argument.
> > > >
> > > > # firewall-cmd --permanent --zone external --add-service slp
> > > > # firewall-cmd --reload
> > > >
> > > >
> >
> > > _______________________________________________
> > > firewalld-users mailing list --
firewalld-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> > firewalld-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> >
> >
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
7:32 a.m.
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to make
slp service work , but it is not getting discovered from other node.
from same node it show the service
i have added the slp service in firewall at both the node . Can someone
help me in getting this issue fixed.
[image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any
of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zones
On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com> wrote:
> On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
> > Hello Eric,
> >
> > I Will check that details(other nodes requests are coming in on the
> default
> > zone) and update.
> > Meanwhile i have another system where sles12 is runnin and there i see
> > below rule by default
> >
> > In INPUT chain
> > ACCEPT icmp -- anywhere anywhere ctstate RELATED
>
> I'm not sure where this rule is coming from. You can check the firewalld
> configuration.
>
> # firewall-cmd --list-all-zones
>
> >
> >
> > I wonder it's not there in sles15.
> >
> > Thanks
> >
> >
> >
> > On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com> wrote:
> >
> > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > > > Hello Eric,
> > > >
> > > > thanks for the response. I did added this option in public/external
> zone
> > > >
> > > > firewall-cmd --permanent --add-service slp
> > > > # firewall-cmd --reload
> > > > Even though the slp services were not getting discovered by other
> nodes.
> > > > As soon as i delete this rule
> > > >
> > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > >
> > > > All starts working fine.
> > > >
> > > > That's why i am confused/clueless what can be done to make it
work.
> > >
> > > Are you sure the other nodes requests are coming in on the default
> zone?
> > > What does --get-active-zones show?
> > >
> > > > Thanks
> > > >
> > > >
> > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver
<egarver(a)redhat.com>
> wrote:
> > > >
> > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > > > > > Below rule in iptables is causing the slptool to fail in
> detecting
> > > the
> > > > > services of other hosts.
> > > > > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > > > > > I deleted it by using below command
> > > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > > > > and slp started to discover from other node with firewall
> enabled.
> > > > > > however when i reload the firewalld or reboot it again went
back
> to
> > > > > original rule (REJECT)
> > > > > > how can i delete this rule permanently so that even after
> reoading
> > > > > firewalld daemon it does not go back to default.
> > > > > > or is there anyother way
> > > > >
> > > > > You should _not_ delete this rule. Doing so will likely leave
your
> > > > > firewall open and your server unprotected. I repeat. DO NOT
DELETE
> THIS
> > > > > RULE.
> > > > >
> > > > > Instead add the `slp` service:
> > > > >
> > > > > # firewall-cmd --permanent --add-service slp
> > > > > # firewall-cmd --reload
> > > > >
> > > > > The above adds it to the default zone (likely
"public"). To add it
> to a
> > > > > specific zone add the `--zone` argument.
> > > > >
> > > > > # firewall-cmd --permanent --zone external --add-service
slp
> > > > > # firewall-cmd --reload
> > > > >
> > > > >
> > >
> > > > _______________________________________________
> > > > firewalld-users mailing list --
> firewalld-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > > firewalld-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> > >
> > >
>
> > _______________________________________________
> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> firewalld-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>
>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
7:49 a.m.
Hello Eric ,
PFA the output of command from both the nodes
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver(a)redhat.com> wrote:
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
> Hello Eric/Team,
>
> Please check the below snip from the 2 nodes on which i am working to
make
> slp service work , but it is not getting discovered from other node.
> from same node it show the service
>
> i have added the slp service in firewall at both the node . Can someone
> help me in getting this issue fixed.
>
> [image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any
of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zones
>
> On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com> wrote:
>
> > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
> > > Hello Eric,
> > >
> > > I Will check that details(other nodes requests are coming in on the
> > default
> > > zone) and update.
> > > Meanwhile i have another system where sles12 is runnin and there i
see
> > > below rule by default
> > >
> > > In INPUT chain
> > > ACCEPT icmp -- anywhere anywhere ctstate RELATED
> >
> > I'm not sure where this rule is coming from. You can check the
firewalld
> > configuration.
> >
> > # firewall-cmd --list-all-zones
> >
> > >
> > >
> > > I wonder it's not there in sles15.
> > >
> > > Thanks
> > >
> > >
> > >
> > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com>
wrote:
> > >
> > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > > > > Hello Eric,
> > > > >
> > > > > thanks for the response. I did added this option in
public/external
> > zone
> > > > >
> > > > > firewall-cmd --permanent --add-service slp
> > > > > # firewall-cmd --reload
> > > > > Even though the slp services were not getting discovered by
other
> > nodes.
> > > > > As soon as i delete this rule
> > > > >
> > > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > >
> > > > > All starts working fine.
> > > > >
> > > > > That's why i am confused/clueless what can be done to make
it
work.
> > > >
> > > > Are you sure the other nodes requests are coming in on the default
> > zone?
> > > > What does --get-active-zones show?
> > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver
<egarver(a)redhat.com>
> > wrote:
> > > > >
> > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
> > > > > > > Below rule in iptables is causing the slptool to fail
in
> > detecting
> > > > the
> > > > > > services of other hosts.
> > > > > > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > > > > > > I deleted it by using below command
> > > > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > > > > > and slp started to discover from other node with
firewall
> > enabled.
> > > > > > > however when i reload the firewalld or reboot it again
went
back
> > to
> > > > > > original rule (REJECT)
> > > > > > > how can i delete this rule permanently so that even
after
> > reoading
> > > > > > firewalld daemon it does not go back to default.
> > > > > > > or is there anyother way
> > > > > >
> > > > > > You should _not_ delete this rule. Doing so will likely
leave
your
> > > > > > firewall open and your server unprotected. I repeat. DO
NOT
DELETE
> > THIS
> > > > > > RULE.
> > > > > >
> > > > > > Instead add the `slp` service:
> > > > > >
> > > > > > # firewall-cmd --permanent --add-service slp
> > > > > > # firewall-cmd --reload
> > > > > >
> > > > > > The above adds it to the default zone (likely
"public"). To
add it
> > to a
> > > > > > specific zone add the `--zone` argument.
> > > > > >
> > > > > > # firewall-cmd --permanent --zone external
--add-service
slp
> > > > > > # firewall-cmd --reload
> > > > > >
> > > > > >
> > > >
> > > > > _______________________________________________
> > > > > firewalld-users mailing list --
> > firewalld-users(a)lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > > firewalld-users-leave(a)lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> >
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> > > >
> > > >
> >
> > > _______________________________________________
> > > firewalld-users mailing list --
firewalld-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> > firewalld-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> >
> >
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
11:23 a.m.
Hello Eric,
While we are investigating this issue.
*Meanwhile is there any way we can delete the below rule and make it
persistent after firewalld reload and reboot *
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
i know iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
this will delete the rule but it is not persistent after firewall reload
and reboot
since i am stuck on this will need to get this going . Maybe later on i can
debug further to get a proper fix.
On Wed, Nov 18, 2020 at 7:19 PM Vishal K <bspteam00(a)gmail.com> wrote:
Hello Eric ,
PFA the output of command from both the nodes
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver(a)redhat.com> wrote:
> On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
> > Hello Eric/Team,
> >
> > Please check the below snip from the 2 nodes on which i am working to
> make
> > slp service work , but it is not getting discovered from other node.
> > from same node it show the service
> >
> > i have added the slp service in firewall at both the node . Can someone
> > help me in getting this issue fixed.
> >
> > [image: image.png]
>
> This is indeed a nice screenshot. Unfortunately it does not contain any
> of the information I asked for.
>
> Please copy/paste the output of the following command:
>
> # firewall-cmd --list-all-zones
>
> >
> > On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com> wrote:
> >
> > > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
> > > > Hello Eric,
> > > >
> > > > I Will check that details(other nodes requests are coming in on the
> > > default
> > > > zone) and update.
> > > > Meanwhile i have another system where sles12 is runnin and there i
> see
> > > > below rule by default
> > > >
> > > > In INPUT chain
> > > > ACCEPT icmp -- anywhere anywhere ctstate RELATED
> > >
> > > I'm not sure where this rule is coming from. You can check the
> firewalld
> > > configuration.
> > >
> > > # firewall-cmd --list-all-zones
> > >
> > > >
> > > >
> > > > I wonder it's not there in sles15.
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver <egarver(a)redhat.com>
> wrote:
> > > >
> > > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > > > > > Hello Eric,
> > > > > >
> > > > > > thanks for the response. I did added this option in
> public/external
> > > zone
> > > > > >
> > > > > > firewall-cmd --permanent --add-service slp
> > > > > > # firewall-cmd --reload
> > > > > > Even though the slp services were not getting discovered by
> other
> > > nodes.
> > > > > > As soon as i delete this rule
> > > > > >
> > > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > > > >
> > > > > > All starts working fine.
> > > > > >
> > > > > > That's why i am confused/clueless what can be done to
make it
> work.
> > > > >
> > > > > Are you sure the other nodes requests are coming in on the
default
> > > zone?
> > > > > What does --get-active-zones show?
> > > > >
> > > > > > Thanks
> > > > > >
> > > > > >
> > > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver
<egarver(a)redhat.com>
> > > wrote:
> > > > > >
> > > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team
wrote:
> > > > > > > > Below rule in iptables is causing the slptool to
fail in
> > > detecting
> > > > > the
> > > > > > > services of other hosts.
> > > > > > > > REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
> > > > > > > > I deleted it by using below command
> > > > > > > > iptables -D INPUT -j REJECT --reject-with
> icmp-host-prohibited
> > > > > > > > and slp started to discover from other node with
firewall
> > > enabled.
> > > > > > > > however when i reload the firewalld or reboot it
again went
> back
> > > to
> > > > > > > original rule (REJECT)
> > > > > > > > how can i delete this rule permanently so that
even after
> > > reoading
> > > > > > > firewalld daemon it does not go back to default.
> > > > > > > > or is there anyother way
> > > > > > >
> > > > > > > You should _not_ delete this rule. Doing so will likely
leave
> your
> > > > > > > firewall open and your server unprotected. I repeat. DO
NOT
> DELETE
> > > THIS
> > > > > > > RULE.
> > > > > > >
> > > > > > > Instead add the `slp` service:
> > > > > > >
> > > > > > > # firewall-cmd --permanent --add-service slp
> > > > > > > # firewall-cmd --reload
> > > > > > >
> > > > > > > The above adds it to the default zone (likely
"public"). To
> add it
> > > to a
> > > > > > > specific zone add the `--zone` argument.
> > > > > > >
> > > > > > > # firewall-cmd --permanent --zone external
--add-service
> slp
> > > > > > > # firewall-cmd --reload
> > > > > > >
> > > > > > >
> > > > >
> > > > > > _______________________________________________
> > > > > > firewalld-users mailing list --
> > > firewalld-users(a)lists.fedorahosted.org
> > > > > > To unsubscribe send an email to
> > > > > firewalld-users-leave(a)lists.fedorahosted.org
> > > > > > Fedora Code of Conduct:
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives:
> > > > >
> > >
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> > > > >
> > > > >
> > >
> > > > _______________________________________________
> > > > firewalld-users mailing list --
> firewalld-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > > firewalld-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> > >
> > >
>
>
>
> > _______________________________________________
> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> firewalld-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>
>
6:04 p.m.
On Wed, Nov 18, 2020 at 10:53:26PM +0530, Vishal K wrote:
Hello Eric,
While we are investigating this issue.
*Meanwhile is there any way we can delete the below rule and make it
persistent after firewalld reload and reboot *
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
No. This rule is vital to firewalld's functionality. Deleting it makes
firewalld accept all packets in many cases.
i know iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
this will delete the rule but it is not persistent after firewall reload
and reboot
since i am stuck on this will need to get this going . Maybe later on i can
debug further to get a proper fix.
On Wed, Nov 18, 2020 at 7:19 PM Vishal K <bspteam00(a)gmail.com> wrote:
> Hello Eric ,
>
> PFA the output of command from both the nodes
>
> On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver(a)redhat.com> wrote:
>
>> On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
>> > Hello Eric/Team,
>> >
>> > Please check the below snip from the 2 nodes on which i am working to
>> make
>> > slp service work , but it is not getting discovered from other node.
>> > from same node it show the service
>> >
>> > i have added the slp service in firewall at both the node . Can someone
>> > help me in getting this issue fixed.
>> >
>> > [image: image.png]
>>
>> This is indeed a nice screenshot. Unfortunately it does not contain any
>> of the information I asked for.
>>
>> Please copy/paste the output of the following command:
>>
>> # firewall-cmd --list-all-zones
>>
>> >
>> > On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com>
wrote:
>> >
>> > > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
>> > > > Hello Eric,
>> > > >
>> > > > I Will check that details(other nodes requests are coming in on
the
>> > > default
>> > > > zone) and update.
>> > > > Meanwhile i have another system where sles12 is runnin and there
i
>> see
>> > > > below rule by default
>> > > >
>> > > > In INPUT chain
>> > > > ACCEPT icmp -- anywhere anywhere ctstate RELATED
>> > >
>> > > I'm not sure where this rule is coming from. You can check the
>> firewalld
>> > > configuration.
>> > >
>> > > # firewall-cmd --list-all-zones
>> > >
>> > > >
>> > > >
>> > > > I wonder it's not there in sles15.
>> > > >
>> > > > Thanks
>> > > >
>> > > >
>> > > >
>> > > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver
<egarver(a)redhat.com>
>> wrote:
>> > > >
>> > > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
>> > > > > > Hello Eric,
>> > > > > >
>> > > > > > thanks for the response. I did added this option in
>> public/external
>> > > zone
>> > > > > >
>> > > > > > firewall-cmd --permanent --add-service slp
>> > > > > > # firewall-cmd --reload
>> > > > > > Even though the slp services were not getting
discovered by
>> other
>> > > nodes.
>> > > > > > As soon as i delete this rule
>> > > > > >
>> > > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
>> > > > > >
>> > > > > > All starts working fine.
>> > > > > >
>> > > > > > That's why i am confused/clueless what can be done
to make it
>> work.
>> > > > >
>> > > > > Are you sure the other nodes requests are coming in on the
default
>> > > zone?
>> > > > > What does --get-active-zones show?
>> > > > >
>> > > > > > Thanks
>> > > > > >
>> > > > > >
>> > > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver
<egarver(a)redhat.com>
>> > > wrote:
>> > > > > >
>> > > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team
wrote:
>> > > > > > > > Below rule in iptables is causing the slptool
to fail in
>> > > detecting
>> > > > > the
>> > > > > > > services of other hosts.
>> > > > > > > > REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>> > > > > > > > I deleted it by using below command
>> > > > > > > > iptables -D INPUT -j REJECT --reject-with
>> icmp-host-prohibited
>> > > > > > > > and slp started to discover from other node
with firewall
>> > > enabled.
>> > > > > > > > however when i reload the firewalld or reboot
it again went
>> back
>> > > to
>> > > > > > > original rule (REJECT)
>> > > > > > > > how can i delete this rule permanently so
that even after
>> > > reoading
>> > > > > > > firewalld daemon it does not go back to default.
>> > > > > > > > or is there anyother way
>> > > > > > >
>> > > > > > > You should _not_ delete this rule. Doing so will
likely leave
>> your
>> > > > > > > firewall open and your server unprotected. I
repeat. DO NOT
>> DELETE
>> > > THIS
>> > > > > > > RULE.
>> > > > > > >
>> > > > > > > Instead add the `slp` service:
>> > > > > > >
>> > > > > > > # firewall-cmd --permanent --add-service slp
>> > > > > > > # firewall-cmd --reload
>> > > > > > >
>> > > > > > > The above adds it to the default zone (likely
"public"). To
>> add it
>> > > to a
>> > > > > > > specific zone add the `--zone` argument.
>> > > > > > >
>> > > > > > > # firewall-cmd --permanent --zone external
--add-service
>> slp
>> > > > > > > # firewall-cmd --reload
>> > > > > > >
>> > > > > > >
>> > > > >
>> > > > > > _______________________________________________
>> > > > > > firewalld-users mailing list --
>> > > firewalld-users(a)lists.fedorahosted.org
>> > > > > > To unsubscribe send an email to
>> > > > > firewalld-users-leave(a)lists.fedorahosted.org
>> > > > > > Fedora Code of Conduct:
>> > > > >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > > > List Guidelines:
>> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > > > List Archives:
>> > > > >
>> > >
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> > > > >
>> > > > >
>> > >
>> > > > _______________________________________________
>> > > > firewalld-users mailing list --
>> firewalld-users(a)lists.fedorahosted.org
>> > > > To unsubscribe send an email to
>> > > firewalld-users-leave(a)lists.fedorahosted.org
>> > > > Fedora Code of Conduct:
>> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > List Archives:
>> > >
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> > >
>> > >
>>
>>
>>
>> > _______________________________________________
>> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> > To unsubscribe send an email to
>> firewalld-users-leave(a)lists.fedorahosted.org
>> > Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>>
>>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
6:03 p.m.
On Wed, Nov 18, 2020 at 07:19:49PM +0530, Vishal K wrote:
Hello Eric ,
PFA the output of command from both the nodes
Thanks. What is the output of this command?
# firewall-cmd --get-default-zone
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver <egarver(a)redhat.com> wrote:
> On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
> > Hello Eric/Team,
> >
> > Please check the below snip from the 2 nodes on which i am working to
> make
> > slp service work , but it is not getting discovered from other node.
> > from same node it show the service
> >
> > i have added the slp service in firewall at both the node . Can someone
> > help me in getting this issue fixed.
> >
> > [image: image.png]
>
> This is indeed a nice screenshot. Unfortunately it does not contain any
> of the information I asked for.
>
> Please copy/paste the output of the following command:
>
> # firewall-cmd --list-all-zones
>
> >
> > On Wed, Nov 18, 2020 at 2:58 AM Eric Garver <egarver(a)redhat.com> wrote:
> >
> > > On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
> > > > Hello Eric,
> > > >
> > > > I Will check that details(other nodes requests are coming in on the
> > > default
> > > > zone) and update.
> > > > Meanwhile i have another system where sles12 is runnin and there i
> see
> > > > below rule by default
> > > >
> > > > In INPUT chain
> > > > ACCEPT icmp -- anywhere anywhere ctstate RELATED
> > >
> > > I'm not sure where this rule is coming from. You can check the
> firewalld
> > > configuration.
> > >
> > > # firewall-cmd --list-all-zones
> > >
> > > >
> > > >
> > > > I wonder it's not there in sles15.
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > > > On Wed, Nov 18, 2020, 12:47 AM Eric Garver
<egarver(a)redhat.com>
> wrote:
> > > >
> > > > > On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
> > > > > > Hello Eric,
> > > > > >
> > > > > > thanks for the response. I did added this option in
> public/external
> > > zone
> > > > > >
> > > > > > firewall-cmd --permanent --add-service slp
> > > > > > # firewall-cmd --reload
> > > > > > Even though the slp services were not getting discovered by
other
> > > nodes.
> > > > > > As soon as i delete this rule
> > > > > >
> > > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > > > >
> > > > > > All starts working fine.
> > > > > >
> > > > > > That's why i am confused/clueless what can be done to
make it
> work.
> > > > >
> > > > > Are you sure the other nodes requests are coming in on the
default
> > > zone?
> > > > > What does --get-active-zones show?
> > > > >
> > > > > > Thanks
> > > > > >
> > > > > >
> > > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver
<egarver(a)redhat.com>
> > > wrote:
> > > > > >
> > > > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team
wrote:
> > > > > > > > Below rule in iptables is causing the slptool to
fail in
> > > detecting
> > > > > the
> > > > > > > services of other hosts.
> > > > > > > > REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
> > > > > > > > I deleted it by using below command
> > > > > > > > iptables -D INPUT -j REJECT --reject-with
> icmp-host-prohibited
> > > > > > > > and slp started to discover from other node with
firewall
> > > enabled.
> > > > > > > > however when i reload the firewalld or reboot it
again went
> back
> > > to
> > > > > > > original rule (REJECT)
> > > > > > > > how can i delete this rule permanently so that
even after
> > > reoading
> > > > > > > firewalld daemon it does not go back to default.
> > > > > > > > or is there anyother way
> > > > > > >
> > > > > > > You should _not_ delete this rule. Doing so will
likely leave
> your
> > > > > > > firewall open and your server unprotected. I repeat.
DO NOT
> DELETE
> > > THIS
> > > > > > > RULE.
> > > > > > >
> > > > > > > Instead add the `slp` service:
> > > > > > >
> > > > > > > # firewall-cmd --permanent --add-service slp
> > > > > > > # firewall-cmd --reload
> > > > > > >
> > > > > > > The above adds it to the default zone (likely
"public"). To
> add it
> > > to a
> > > > > > > specific zone add the `--zone` argument.
> > > > > > >
> > > > > > > # firewall-cmd --permanent --zone external
--add-service
> slp
> > > > > > > # firewall-cmd --reload
> > > > > > >
> > > > > > >
> > > > >
> > > > > > _______________________________________________
> > > > > > firewalld-users mailing list --
> > > firewalld-users(a)lists.fedorahosted.org
> > > > > > To unsubscribe send an email to
> > > > > firewalld-users-leave(a)lists.fedorahosted.org
> > > > > > Fedora Code of Conduct:
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives:
> > > > >
> > >
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> > > > >
> > > > >
> > >
> > > > _______________________________________________
> > > > firewalld-users mailing list --
> firewalld-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > > firewalld-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> > >
> > >
>
>
>
> > _______________________________________________
> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> firewalld-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>
>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
12:44 p.m.
New subject: firewalld ipset
I want to add a "blacklist" or "blocklist" that would allow me to add
country codes (cn.zone for example) and also be able to add individual ip addresses.
I tried:firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net
--option=family=inet --option=hashsize=4096 --option=maxelem=200000
firewall-cmd --reload
This did not give me an error until I tried to add cn.zone
firewall-cmd --permanent --ipset=blacklist
--add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
I got: }}}, {"add": {"rule": {"family": "ip6",
"table": "firewalld", "chain": "nat_POST_public",
"expr": [{"jump": {"target":
"nat_POST_public_post"}}]}}}, {"insert": {"rule":
{"family": "ip", "table": "firewalld",
"chain": "nat_POSTROUTING_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"ens3"}}, {"goto": {"target":
"nat_POST_public"}}]}}}, {"insert": {"rule":
{"family": "ip6", "table": "firewalld",
"chain": "nat_POSTROUTING_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"ens3"}}, {"goto": {"target":
"nat_POST_public"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_INPUT_ZONES", "expr": [{"match":
{"left": {"meta": {"key": "iifname"}},
"op": "==", "right": "ens3"}}, {"goto":
{"target": "filter_IN_public"}}]}}}, {"insert":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_FORWARD_IN_ZONES",
"expr": [{"match": {"left": {"meta":
{"key": "iifname"}}, "op": "==",
"right": "ens3"}}, {"goto": {"target":
"filter_FWDI_public"}}]}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_FWDO_public"}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_FWDO_public_pre"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name": "filter_FWDO_public_log"}}},
{"add": {"chain": {"family": "inet",
"table": "firewalld", "name":
"filter_FWDO_public_deny"}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_FWDO_public_allow"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name": "filter_FWDO_public_post"}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_FWDO_public", "expr": [{"jump": {"target":
"filter_FWDO_public_pre"}}]}}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FWDO_public", "expr": [{"jump":
{"target": "filter_FWDO_public_log"}}]}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_FWDO_public",
"expr": [{"jump": {"target":
"filter_FWDO_public_deny"}}]}}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FWDO_public", "expr": [{"jump":
{"target": "filter_FWDO_public_allow"}}]}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_FWDO_public",
"expr": [{"jump": {"target":
"filter_FWDO_public_post"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FORWARD_OUT_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"ens3"}}, {"goto": {"target":
"filter_FWDO_public"}}]}}}]}Error: INVALID_IPSET: ipset type '' not
usable
If I can't add ip, port and net at once, could someone tell me how I could add country
codes as well as single ip addresses to blacklist or blocklist?
TIA!
1:18 p.m.
New subject: firewalld ipset
On Thu, Nov 19, 2020 at 06:44:33PM +0000, Steve Frazier wrote:
I want to add a "blacklist" or "blocklist" that
would allow me to add country codes (cn.zone for example) and also be able to add
individual ip addresses.
I tried:firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net
--option=family=inet --option=hashsize=4096 --option=maxelem=200000
firewall-cmd --reload
This did not give me an error until I tried to add cn.zone
firewall-cmd --permanent --ipset=blacklist
--add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
The country zone files should be one entry per line in CIDR notation,
e.g. "1.2.3.0/24". So an ipset of type "hash:net" is what you want.
Try creating your ipset with "hash:net" type
# firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net
--option=family=inet --option=hashsize=4096 --option=maxelem=200000
Then add your entries:
# firewall-cmd --permanent --ipset=blacklist
--add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
1262
days inactive
1264
days old
firewalld-users@lists.fedorahosted.org
13 comments
4 participants
participants (4)
-
bsp team -
Eric Garver -
Steve Frazier -
Vishal K