LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-04-2017, 09:27 AM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Rep: Reputation: 174Reputation: 174
firewald - this should be simple (it would be nice if it worked)


I have a CentOS 7.4 machine with the firewall as installed. I verified that I could connect by ssh from another computer on my LAN. As an experiment with the gui firewall tool I did the following:

1 - removed ssh from the external zone (permanent)
2 - reloaded the firewall - ssh appeared unchecked
3 - changed the active WiFi connection to the external zone (permanent)
4 - reloaded the firewall - the connection showed being in the external zone

I can still connect to the machine with ssh. If firewalld is doing its job it would seem to me that ssh connections should no longer be allowed. Am I missing something?

TIA,

Ken

p.s. It gets better... I connected to the machine with ssh - which the firewall SHOULD be preventing. I then issued a sudo reboot. When the machine came back up NOW I am prevented from connecting with ssh. It looks like reload firewall is NOT reloading one of the changes.

Last edited by taylorkh; 10-04-2017 at 09:33 AM.
 
Old 10-04-2017, 10:14 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
For reload did you run "systemctl reload firewalld"?

You can bounce firewalld without rebooting with:
systemctl restart firewalld
 
1 members found this post helpful.
Old 10-04-2017, 12:24 PM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks Mensawater,

I used the Options; Reload firewall from the menu on the gui tool. I have done a little more testing and I think I see the issue.

- enable ssh in external zone (permanent)
- reload firewall

I can now connect.

- disable ssh in external zone (permanent)
- reload firewall

I can not connect.

- change the WiFi connection to the public zone (which has ssh enabled) (permanent)
- reload firewall

I can NOT connect.

- disconnect and reconnect the WiFi connection

I can connect.

Looks like cycling the network connection after changing its zone was the trick. This of course happened on the reboot.


Ken
 
1 members found this post helpful.
Old 10-04-2017, 12:45 PM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
You might want to have a look at this blog post about relationship between firewalld zones and interfaces.
 
Old 10-04-2017, 02:19 PM   #5
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks again. Very interesting
 
Old 10-07-2017, 06:53 AM   #6
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Just a quick update to MensaWater's post about interfaces not staying in their assigned zones after a reboot. Based on my limited experimenting so far it seems that this has been fixed in CentOS 7.4. I changed the incoming (from the Internet) interface to the "drop" zone on a couple of PCs and the change has survived reboots and shutdown/restart cycles.

Ken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Very simple iptables script fails to work and has worked previously (DNS not resolving) Jason_25 Linux - Networking 0 08-17-2016 05:44 PM
This should be a simple script (and it would be nice if it worked) taylorkh Linux - Newbie 9 07-17-2013 06:23 PM
A nice, simple, easy distro? tauhshi Linux - General 5 11-27-2006 08:27 PM
can't use simple firewall script (it worked before) tigerflag Linux - Security 2 06-23-2003 01:10 AM
Fluxbox would be nice if it worked. Crashed_Again Linux - General 10 02-13-2003 12:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration