Fedora 25 Workstation: Opened firewalld, can’t ssh in

I installed Fedora 25 (Workstation) on one of my computers recently. This is my first experience with a RH-style distro — I’ve previously only used Debian-based systems, and on those systems I used ufw to configure my firewall. I am at a complete loss to explain why I can’t get firewalld to work.

I am trying to only allow access to the following ports for incoming connection: 22/tcp (SSH), 3306/tcp (mysql)

I set the default zone as public and manually set my network interface to the public zone. I added SSH and mysql services to the public zone, which should have effected the changes in the runtime firewall, but no luck. My computer is refusing all attempts to make an SSH connection. nmap of my ip shows the following:

Nmap scan report for 192.168.1.241
Host is up (0.000014s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
3306/tcp open  mysql

I tried making the changes to the runtime firewall and I’ve tried making the settings permanent. Neither one has yielded any change in the open ports. No matter what I do (including REMOVING mysql as an allowed service), nothing changes the output of an nmap scan. (Yes, I’m restarting firewalld after making permanent changes).

From what I understand, firewalld is simply a wrapper for iptables similar to ufw, however I’ve never run into an issue configuring a firewall with ufw. This has me at a loss. I appreciate any help you can offer. Thanks.

Output from some commands to show you my settings:

$ firewall-cmd --get-default-zone
public



$ firewall-cmd --get-zone-of-interface=enp0s25
public


$ cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mysql" />
</zone>


$ cat /usr/lib/firewalld/services/ssh.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>


$ cat /usr/lib/firewalld/services/mysql.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>MySQL</short>
  <description>MySQL Database Server</description>
  <port protocol="tcp" port="3306"/>
</service>


$ cat /etc/sysconfig/network-scripts/ifcfg-enp0s25 
HWADDR=<removed>
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
BROADCAST=192.168.1.255
NETWORK=192.168.1.0
DNS1=8.8.8.8
DNS2=8.8.4.4
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp0s25
UUID=<removed>
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
ZONE=public
IPADDR=192.168.1.241
PREFIX=24
GATEWAY=192.168.1.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes


$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp0s25 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp0s25 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i enp0s25 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT

Related:

firewalld service is running, but firewall-cmd doesn’t work

I am new to Centos 7/Server management. I am trying to figure out how to work with firewalld. my kernel release is: 2.6.32-042stab084.20(OpenVZ)

And:

#firewall-cmd --version
#0.3.9

The problem is I can’t get any functionality out of firewall-cmd. Here is some of commands I have tried:

# systemctl status firewalld -l
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since ...; 
Main PID: 120
CGroup: /system.slice/firewalld.service
       └─120 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

systemd[1]: Starting firewalld - dynamic firewall daemon...
systemd[1]: Started firewalld - dynamic firewall daemon.
firewalld[120]: ERROR: ebtables not usable, disabling ethernet bridge firewall.
firewalld[120]: ERROR: INVALID_ZONE

It seems that firewalld is running, and actually it is doing its job as a firewall. but when I try to use firewall-cmd:

# firewall-cmd --state
not running
#firewall-cmd --get-zones
#[nothing happens]
#firewall-cmd --reload
[X]Server crashed and I had to request a reboot!

I have installed fail2ban and it works by adding IPs to banned list which I can view by: iptables -L -n.

# iptables -V
#iptables v1.4.21

    # iptables -nvL
    Chain INPUT (policy ACCEPT 798 packets, 89141 bytes)
 pkts bytes target     prot opt in     out     source               destination
76260   14M f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
69823   14M f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 725 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES_SOURCE (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_direct (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-SSH (1 references)
pkts bytes target     prot opt in     out     source               destination
       17  1060 REJECT     all  --  *      *       111.222.333.444      0.0.0.0/0            reject-with icmp-port-unreachable
    ...
    ...

But now I want to open a specific port for an application and I can’t use firewall-cmd. So what can I do?

  • P.S: The reason I changed my firewall client to firewalld and disabled iptables service was that fail2ban didn’t work with iptables. It just sat there and did nothing.But that’s another problem!

Related:

centOS 7 firewallD remove direct rule

After upgrading the system from 6.5 to 7, I started learning implementing dynamic firewall, however, I made a mistake to add the following rule

firewall-cmd –permanent –direct –add-rule ipv4 filter OUTPUT 1 -j
DROP

which cause the machine drop all the output to outside,

I tried to use

firewall-cmd –permanent –direct –remove-rule ipv4 filter OUTPUT 1 -j
DROP

to welcome everyone back.

However, after

firewall-cmd –reload

and

firewall-cmd –direct –get-all-rules

, I find this rule come back again automatically .

I even tried

firewall-cmd –complete-reload

but no effect.

What can I do now?

Related:

Allowing passive FTP connections in FirewallD (CentOS 7)

In CentOS 7 which comes with FirewallD, enabling HTTP access was easy:

firewall-cmd --permanent --zone=public --add-service=http

However,

firewall-cmd --permanent --zone=public --add-service=ftp

doesn’t work: the rule applies, but I can’t access FTP by any means except disabling FirewallD.

Some diagnostic info:

  • I have checked the service definition file (ftp.xml) and it makes use of nf_conntrack_ftp module.
  • On my VPS the module is compiled into kernel (not separate) so it’s not there via lsmod, but I can confirm it’s there by this:

zgrep FTP /proc/config.gz

CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_TFTP=y

Related: