LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewalld timeout and failure on Fedora 25 (https://www.linuxquestions.org/questions/linux-security-4/firewalld-timeout-and-failure-on-fedora-25-a-4175600106/)

Reksio 02-18-2017 10:54 PM

Firewalld timeout and failure on Fedora 25
 
Hi all,

I'm using Fedora 25 Workstation and just recently started to read on firewalld and iptables to learn how to properly set it up. The problem I experience is:
When I input
Code:

firewall-cmd --state
it tells me that it is running but every time I input
Code:

sudo systemctl start firewalld
it responds with:

Job for firewalld.service failed because a timeout was exceeded.
See "systemctl status firewalld.service" and "journalctl -xe" for details.

So I ran
Code:

sudo systemctl status firewalld.service
and I got this in response:

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Sat 2017-02-18 19:36:21 PST; 34min ago
Docs: man:firewalld(1)
Process: 9677 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUC
Main PID: 9677 (code=exited, status=0/SUCCESS)

Feb 18 19:34:49 Reksio systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 18 19:36:19 Reksio systemd[1]: firewalld.service: Start operation timed out. Terminating.
Feb 18 19:36:21 Reksio systemd[1]: Failed to start firewalld - dynamic firewall daemon.
Feb 18 19:36:21 Reksio systemd[1]: firewalld.service: Unit entered failed state.
Feb 18 19:36:21 Reksio systemd[1]: firewalld.service: Failed with result 'timeout'.


Someone told me to run
Code:

sudo /usr/sbin/firewalld --nofork --nopid --debug 10
and it seems like it cannot go through:

DEBUG1: config.GetAll('org.fedoraproject.FirewallD1.config')


In anyone has any idea what's the problem and how to resolve it, I'd be super happy to hear you out. I couldn't find any solution for it on the internet, although people seem to have many other problems with firewalld.
If anything, are you using firewalld or iptables (or something else)?


Thanks!

syg00 02-19-2017 03:55 AM

If it's running, why are you attempting to start it ?.

Reksio 02-19-2017 04:27 AM

Well, please correct me if I'm wrong, but when I do
Code:

sudo systemctl status firewalld.service
and I get the response as mentioned above with "Active: failed (Result: timeout)" doesn't it mean that the firewall actually fails to run? That's why I was trying to start it

Doug G 02-19-2017 09:01 PM

systemctl status firewalld should return active: (running)... ,at least it does on all my fedora 25 machines (3)

Perhaps you have some network problem causing the firewall to fail to start? Just guessing.

Jjanel 02-20-2017 06:28 AM

I'm interested in -learning- about all this too. I tried:
# /usr/sbin/firewalld --nofork --nopid --debug 10 >zzz 2>&1 &
but it 'killed' my CentOS7 (hung terminal & can't login) (note I added >...&)

There's a 'pile' of web-search results, for some of your messages, like:
http://reddit.com/r/sysadmin/comment...d_and_iptables
but I didn't pinpoint anything (that I understood, anyway).

Two thoughts on how to proceed: dig thru those web-search results, to post info from
additional 'debug info' commands, which might hopefully uncover more 'clues',
and/or: provide a 'cookbook/exact' way for others to reproduce this situation.
(this is similar to 'bug reports', where they ask for -all- 'necessary' info/steps
to -reproduce- the problem; then, it's easily resolved!)

Best wishes...looking forward to more on this (and advice from LQgurus;) ).

r3sistance 02-20-2017 07:01 AM

just to check, you haven't installed the iptables.service package? That will conflict with firewalld if you have.

Reksio 02-20-2017 02:57 PM

Quote:

Originally Posted by Jjanel (Post 5673445)
There's a 'pile' of web-search results, for some of your messages, like:
http://reddit.com/r/sysadmin/comment...d_and_iptables
but I didn't pinpoint anything (that I understood, anyway).

Thanks for the link. I tried following some of their ideas, and I did what user R3D3MPT1ON said:

Code:

$ systemctl unmask iptables $ systemctl enable iptables $ systemctl start iptables
I also tried to unmask and enable firewalld in case I accidentally disabled it at some point, but when I write

Code:

systemctl start firewalld
I still see the same thing:

Job for firewalld.service failed because a timeout was exceeded.
See "systemctl status firewalld.service" and "journalctl -xe" for details.

And "firewalld.service" status still points to a failure due to a timeout.


Quote:

Originally Posted by Jjanel (Post 5673445)
Two thoughts on how to proceed: dig thru those web-search results, to post info from
additional 'debug info' commands, which might hopefully uncover more 'clues',
and/or: provide a 'cookbook/exact' way for others to reproduce this situation.
(this is similar to 'bug reports', where they ask for -all- 'necessary' info/steps
to -reproduce- the problem; then, it's easily resolved!)

I am going through some of the web searches and it seems some people have a problem that firewalld's debug freezes at "cockpit" but so far I did not find anything that could resolve my issue. And sure, I can post an exact way of what I did if that's going to help



Quote:

Originally Posted by r3sistance (Post 5673453)
just to check, you haven't installed the iptables.service package? That will conflict with firewalld if you have.

I went through my bash history and yes, I did install iptables.service. But, I just uninstalled iptables-services to try and start firewalld without iptables.services, and I still have the same message: "Job for firewalld.service failed because a timeout was exceeded"

Reksio 02-20-2017 03:29 PM

r3sistance, thank you so much for your comment! I overreacted a bit and input
Code:

sudo dnf remove iptables
I'm sure this is not exactly a smart thing to do, as it removed 159 packages... but I manually reinstalled most of them, leaving only iptables-services out and now when I say

Code:

sudo systemctl enable firewalld.service
sudo systemctl start firewalld.service
sudo systemctl status firewalld.service

It actually says

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Mon 2017-02-20 13:20:04 PST; 2min 32s ago
Docs: man:firewalld(1)
Main PID: 907 (firewalld)
CGroup: /system.slice/firewalld.service
└─907 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Feb 20 13:20:03 Reksio systemd[1]: Starting firewalld - dynamic firewall daemon.
Feb 20 13:20:04 Reksio systemd[1]: Started firewalld - dynamic firewall daemon.


So I think I not only installed iptables-services but also when I removed them I did something wrong and they were still interrupting firewalld.
Thanks again

r3sistance 02-20-2017 03:30 PM

did you check if the service was running before you uninstalled it? I am not sure if uninstalling it actually stops the service and so you maybe to check systemctl to see if it still appears.

I am not familiar with DNF but as a branch of yum, there is always the history rollback option if you want to make sure you get everything back. Unless you used that already, that is also a command to be careful with tho.

Reksio 02-20-2017 03:44 PM

Quote:

did you check if the service was running before you uninstalled it? I am not sure if uninstalling it actually stops the service and so you maybe to check systemctl to see if it still appears.
Unless something changed since yesterday, it was running but I didn't check it today. And I would expect it to stop running after being uninstalled... but I'm not sure to be honest

r3sistance 02-20-2017 03:47 PM

Quote:

Originally Posted by Reksio (Post 5673759)
Unless something changed since yesterday, it was running but I didn't check it today. And I would expect it to stop running after being uninstalled... but I'm not sure to be honest

Well if you got firewalld running now, then it isn't as they'd conflict over trying to control the same kernel module.

Reksio 02-20-2017 03:58 PM

Well now firewalld is running but iptables-services is not installed and when I'm trying to check the status
Code:

systemctl status iptables.service
It tells me that: "Unit iptables.service could not be found."
So my guess is they were conflicting before but now iptables.service is not running anymore


All times are GMT -5. The time now is 02:55 AM.