Below rule in iptables is causing the slptool to fail in detecting the services of other hosts. REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall enabled. however when i reload the firewalld or reboot it again went back to original rule (REJECT) how can i delete this rule permanently so that even after reoading firewalld daemon it does not go back to default. or is there anyother way
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in detecting the services of other hosts. REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall enabled. however when i reload the firewalld or reboot it again went back to original rule (REJECT) how can i delete this rule permanently so that even after reoading firewalld daemon it does not go back to default. or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE THIS RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reload
The above adds it to the default zone (likely "public"). To add it to a specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
Hello Eric,
thanks for the response. I did added this option in public/external zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other nodes. As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in detecting the
services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall enabled. however when i reload the firewalld or reboot it again went back to
original rule (REJECT)
how can i delete this rule permanently so that even after reoading
firewalld daemon it does not go back to default.
or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE THIS RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reloadThe above adds it to the default zone (likely "public"). To add it to a specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in public/external zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other nodes. As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default zone? What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in detecting the
services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall enabled. however when i reload the firewalld or reboot it again went back to
original rule (REJECT)
how can i delete this rule permanently so that even after reoading
firewalld daemon it does not go back to default.
or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE THIS RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reloadThe above adds it to the default zone (likely "public"). To add it to a specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Hello Eric,
I Will check that details(other nodes requests are coming in on the default zone) and update. Meanwhile i have another system where sles12 is runnin and there i see below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in public/external zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other nodes. As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default zone? What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in detecting
the
services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall enabled. however when i reload the firewalld or reboot it again went back to
original rule (REJECT)
how can i delete this rule permanently so that even after reoading
firewalld daemon it does not go back to default.
or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE THIS RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reloadThe above adds it to the default zone (likely "public"). To add it to a specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the default zone) and update. Meanwhile i have another system where sles12 is runnin and there i see below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the firewalld configuration.
# firewall-cmd --list-all-zones
I wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in public/external zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other nodes. As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default zone? What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in detecting
the
services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall enabled. however when i reload the firewalld or reboot it again went back to
original rule (REJECT)
how can i delete this rule permanently so that even after reoading
firewalld daemon it does not go back to default.
or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE THIS RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reloadThe above adds it to the default zone (likely "public"). To add it to a specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to make slp service work , but it is not getting discovered from other node. from same node it show the service
i have added the slp service in firewall at both the node . Can someone help me in getting this issue fixed.
[image: image.png]
On Wed, Nov 18, 2020 at 2:58 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the
default
zone) and update. Meanwhile i have another system where sles12 is runnin and there i see below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the firewalld configuration.
# firewall-cmd --list-all-zonesI wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in public/external
zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other
nodes.
As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default
zone?
What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com
wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote:
Below rule in iptables is causing the slptool to fail in
detecting
the
services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I deleted it by using below command iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited and slp started to discover from other node with firewall
enabled.
however when i reload the firewalld or reboot it again went back
to
original rule (REJECT)
how can i delete this rule permanently so that even after
reoading
firewalld daemon it does not go back to default.
or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE
THIS
RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reloadThe above adds it to the default zone (likely "public"). To add it
to a
specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to make slp service work , but it is not getting discovered from other node. from same node it show the service
i have added the slp service in firewall at both the node . Can someone help me in getting this issue fixed.
[image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zones
On Wed, Nov 18, 2020 at 2:58 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the
default
zone) and update. Meanwhile i have another system where sles12 is runnin and there i see below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the firewalld configuration.
# firewall-cmd --list-all-zonesI wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in public/external
zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other
nodes.
As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it work.
Are you sure the other nodes requests are coming in on the default
zone?
What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com
wrote:
On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote: > Below rule in iptables is causing the slptool to fail in
detecting
the
services of other hosts. > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited > I deleted it by using below command > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited > and slp started to discover from other node with firewall
enabled.
> however when i reload the firewalld or reboot it again went back
to
original rule (REJECT) > how can i delete this rule permanently so that even after
reoading
firewalld daemon it does not go back to default. > or is there anyother way
You should _not_ delete this rule. Doing so will likely leave your firewall open and your server unprotected. I repeat. DO NOT DELETE
THIS
RULE.
Instead add the `slp` service:
# firewall-cmd --permanent --add-service slp # firewall-cmd --reloadThe above adds it to the default zone (likely "public"). To add it
to a
specific zone add the `--zone` argument.
# firewall-cmd --permanent --zone external --add-service slp # firewall-cmd --reload
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Hello Eric ,
PFA the output of command from both the nodes
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to
make
slp service work , but it is not getting discovered from other node. from same node it show the service
i have added the slp service in firewall at both the node . Can someone help me in getting this issue fixed.
[image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zonesOn Wed, Nov 18, 2020 at 2:58 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the
default
zone) and update. Meanwhile i have another system where sles12 is runnin and there i
see
below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the
firewalld
configuration.
# firewall-cmd --list-all-zonesI wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com
wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote:
Hello Eric,
thanks for the response. I did added this option in
public/external
zone
firewall-cmd --permanent --add-service slp # firewall-cmd --reload Even though the slp services were not getting discovered by other
nodes.
As soon as i delete this rule
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
All starts working fine.
That's why i am confused/clueless what can be done to make it
work.
Are you sure the other nodes requests are coming in on the default
zone?
What does --get-active-zones show?
Thanks
On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com
wrote:
> On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote: > > Below rule in iptables is causing the slptool to fail in
detecting
the
> services of other hosts. > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > I deleted it by using below command > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > and slp started to discover from other node with firewall
enabled.
> > however when i reload the firewalld or reboot it again went
back
to
> original rule (REJECT) > > how can i delete this rule permanently so that even after
reoading
> firewalld daemon it does not go back to default. > > or is there anyother way > > You should _not_ delete this rule. Doing so will likely leave
your
> firewall open and your server unprotected. I repeat. DO NOT
DELETE
THIS
> RULE. > > Instead add the `slp` service: > > # firewall-cmd --permanent --add-service slp > # firewall-cmd --reload > > The above adds it to the default zone (likely "public"). To
add it
to a
> specific zone add the `--zone` argument. > > # firewall-cmd --permanent --zone external --add-service
slp
> # firewall-cmd --reload > >
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
Hello Eric,
While we are investigating this issue.
*Meanwhile is there any way we can delete the below rule and make it persistent after firewalld reload and reboot * REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
i know iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited this will delete the rule but it is not persistent after firewall reload and reboot
since i am stuck on this will need to get this going . Maybe later on i can debug further to get a proper fix.
On Wed, Nov 18, 2020 at 7:19 PM Vishal K bspteam00@gmail.com wrote:
Hello Eric ,
PFA the output of command from both the nodes
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to
make
slp service work , but it is not getting discovered from other node. from same node it show the service
i have added the slp service in firewall at both the node . Can someone help me in getting this issue fixed.
[image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zonesOn Wed, Nov 18, 2020 at 2:58 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the
default
zone) and update. Meanwhile i have another system where sles12 is runnin and there i
see
below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the
firewalld
configuration.
# firewall-cmd --list-all-zonesI wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com
wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote: > Hello Eric, > > thanks for the response. I did added this option in
public/external
zone
> > firewall-cmd --permanent --add-service slp > # firewall-cmd --reload > Even though the slp services were not getting discovered by
other
nodes.
> As soon as i delete this rule > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited > > All starts working fine. > > That's why i am confused/clueless what can be done to make it
work.
Are you sure the other nodes requests are coming in on the default
zone?
What does --get-active-zones show?
> Thanks > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com
wrote:
> > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote: > > > Below rule in iptables is causing the slptool to fail in
detecting
the > > services of other hosts. > > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > > I deleted it by using below command > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > and slp started to discover from other node with firewall
enabled.
> > > however when i reload the firewalld or reboot it again went
back
to
> > original rule (REJECT) > > > how can i delete this rule permanently so that even after
reoading
> > firewalld daemon it does not go back to default. > > > or is there anyother way > > > > You should _not_ delete this rule. Doing so will likely leave
your
> > firewall open and your server unprotected. I repeat. DO NOT
DELETE
THIS
> > RULE. > > > > Instead add the `slp` service: > > > > # firewall-cmd --permanent --add-service slp > > # firewall-cmd --reload > > > > The above adds it to the default zone (likely "public"). To
add it
to a
> > specific zone add the `--zone` argument. > > > > # firewall-cmd --permanent --zone external --add-service
slp
> > # firewall-cmd --reload > > > >
> _______________________________________________ > firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
On Wed, Nov 18, 2020 at 10:53:26PM +0530, Vishal K wrote:
Hello Eric,
While we are investigating this issue.
*Meanwhile is there any way we can delete the below rule and make it persistent after firewalld reload and reboot * REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
No. This rule is vital to firewalld's functionality. Deleting it makes firewalld accept all packets in many cases.
i know iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited this will delete the rule but it is not persistent after firewall reload and reboot
since i am stuck on this will need to get this going . Maybe later on i can debug further to get a proper fix.
On Wed, Nov 18, 2020 at 7:19 PM Vishal K bspteam00@gmail.com wrote:
Hello Eric ,
PFA the output of command from both the nodes
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to
make
slp service work , but it is not getting discovered from other node. from same node it show the service
i have added the slp service in firewall at both the node . Can someone help me in getting this issue fixed.
[image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zonesOn Wed, Nov 18, 2020 at 2:58 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the
default
zone) and update. Meanwhile i have another system where sles12 is runnin and there i
see
below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the
firewalld
configuration.
# firewall-cmd --list-all-zonesI wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com
wrote:
> On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote: > > Hello Eric, > > > > thanks for the response. I did added this option in
public/external
zone
> > > > firewall-cmd --permanent --add-service slp > > # firewall-cmd --reload > > Even though the slp services were not getting discovered by
other
nodes.
> > As soon as i delete this rule > > > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited > > > > All starts working fine. > > > > That's why i am confused/clueless what can be done to make it
work.
> > Are you sure the other nodes requests are coming in on the default
zone?
> What does --get-active-zones show? > > > Thanks > > > > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com
wrote:
> > > > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote: > > > > Below rule in iptables is causing the slptool to fail in
detecting
> the > > > services of other hosts. > > > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > > > I deleted it by using below command > > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > > and slp started to discover from other node with firewall
enabled.
> > > > however when i reload the firewalld or reboot it again went
back
to
> > > original rule (REJECT) > > > > how can i delete this rule permanently so that even after
reoading
> > > firewalld daemon it does not go back to default. > > > > or is there anyother way > > > > > > You should _not_ delete this rule. Doing so will likely leave
your
> > > firewall open and your server unprotected. I repeat. DO NOT
DELETE
THIS
> > > RULE. > > > > > > Instead add the `slp` service: > > > > > > # firewall-cmd --permanent --add-service slp > > > # firewall-cmd --reload > > > > > > The above adds it to the default zone (likely "public"). To
add it
to a
> > > specific zone add the `--zone` argument. > > > > > > # firewall-cmd --permanent --zone external --add-service
slp
> > > # firewall-cmd --reload > > > > > > > > > _______________________________________________ > > firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
> > To unsubscribe send an email to > firewalld-users-leave@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: >
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
> >
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
On Wed, Nov 18, 2020 at 07:19:49PM +0530, Vishal K wrote:
Hello Eric ,
PFA the output of command from both the nodes
Thanks. What is the output of this command?
# firewall-cmd --get-default-zone
On Wed, Nov 18, 2020 at 7:02 PM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 05:51:09PM +0530, Vishal K wrote:
Hello Eric/Team,
Please check the below snip from the 2 nodes on which i am working to
make
slp service work , but it is not getting discovered from other node. from same node it show the service
i have added the slp service in firewall at both the node . Can someone help me in getting this issue fixed.
[image: image.png]
This is indeed a nice screenshot. Unfortunately it does not contain any of the information I asked for.
Please copy/paste the output of the following command:
# firewall-cmd --list-all-zonesOn Wed, Nov 18, 2020 at 2:58 AM Eric Garver egarver@redhat.com wrote:
On Wed, Nov 18, 2020 at 01:06:52AM +0530, Vishal K wrote:
Hello Eric,
I Will check that details(other nodes requests are coming in on the
default
zone) and update. Meanwhile i have another system where sles12 is runnin and there i
see
below rule by default
In INPUT chain ACCEPT icmp -- anywhere anywhere ctstate RELATED
I'm not sure where this rule is coming from. You can check the
firewalld
configuration.
# firewall-cmd --list-all-zonesI wonder it's not there in sles15.
Thanks
On Wed, Nov 18, 2020, 12:47 AM Eric Garver egarver@redhat.com
wrote:
On Wed, Nov 18, 2020 at 12:41:24AM +0530, Vishal K wrote: > Hello Eric, > > thanks for the response. I did added this option in
public/external
zone
> > firewall-cmd --permanent --add-service slp > # firewall-cmd --reload > Even though the slp services were not getting discovered by other
nodes.
> As soon as i delete this rule > > iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited > > All starts working fine. > > That's why i am confused/clueless what can be done to make it
work.
Are you sure the other nodes requests are coming in on the default
zone?
What does --get-active-zones show?
> Thanks > > > On Wed, Nov 18, 2020, 12:32 AM Eric Garver egarver@redhat.com
wrote:
> > > On Tue, Nov 17, 2020 at 06:19:09PM -0000, bsp team wrote: > > > Below rule in iptables is causing the slptool to fail in
detecting
the > > services of other hosts. > > > REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
> > > I deleted it by using below command > > > iptables -D INPUT -j REJECT --reject-with
icmp-host-prohibited
> > > and slp started to discover from other node with firewall
enabled.
> > > however when i reload the firewalld or reboot it again went
back
to
> > original rule (REJECT) > > > how can i delete this rule permanently so that even after
reoading
> > firewalld daemon it does not go back to default. > > > or is there anyother way > > > > You should _not_ delete this rule. Doing so will likely leave
your
> > firewall open and your server unprotected. I repeat. DO NOT
DELETE
THIS
> > RULE. > > > > Instead add the `slp` service: > > > > # firewall-cmd --permanent --add-service slp > > # firewall-cmd --reload > > > > The above adds it to the default zone (likely "public"). To
add it
to a
> > specific zone add the `--zone` argument. > > > > # firewall-cmd --permanent --zone external --add-service
slp
> > # firewall-cmd --reload > > > >
> _______________________________________________ > firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list --
firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to
firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
I want to add a "blacklist" or "blocklist" that would allow me to add country codes (cn.zone for example) and also be able to add individual ip addresses. I tried:firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net --option=family=inet --option=hashsize=4096 --option=maxelem=200000 firewall-cmd --reload
This did not give me an error until I tried to add cn.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
I got: }}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "ens3"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "ens3"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "ens3"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "ens3"}}, {"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "ens3"}}, {"goto": {"target": "filter_FWDO_public"}}]}}}]}Error: INVALID_IPSET: ipset type '' not usable If I can't add ip, port and net at once, could someone tell me how I could add country codes as well as single ip addresses to blacklist or blocklist? TIA!
On Thu, Nov 19, 2020 at 06:44:33PM +0000, Steve Frazier wrote:
I want to add a "blacklist" or "blocklist" that would allow me to add country codes (cn.zone for example) and also be able to add individual ip addresses. I tried:firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net --option=family=inet --option=hashsize=4096 --option=maxelem=200000 firewall-cmd --reload
This did not give me an error until I tried to add cn.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
The country zone files should be one entry per line in CIDR notation, e.g. "1.2.3.0/24". So an ipset of type "hash:net" is what you want.
Try creating your ipset with "hash:net" type
# firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net --option=family=inet --option=hashsize=4096 --option=maxelem=200000
Then add your entries:
# firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
firewalld-users@lists.fedorahosted.org
-
bsp team -
Eric Garver -
Steve Frazier -
Vishal K