LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2017, 10:54 PM   #1
Reksio
Member
 
Registered: Mar 2016
Location: 127.0.0.1
Distribution: Fedora, CentOS, RHEL
Posts: 34

Rep: Reputation: Disabled
Unhappy Firewalld timeout and failure on Fedora 25


Hi all,

I'm using Fedora 25 Workstation and just recently started to read on firewalld and iptables to learn how to properly set it up. The problem I experience is:
When I input
Code:
firewall-cmd --state
it tells me that it is running but every time I input
Code:
sudo systemctl start firewalld
it responds with:

Job for firewalld.service failed because a timeout was exceeded.
See "systemctl status firewalld.service" and "journalctl -xe" for details.

So I ran
Code:
sudo systemctl status firewalld.service
and I got this in response:

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Sat 2017-02-18 19:36:21 PST; 34min ago
Docs: man:firewalld(1)
Process: 9677 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUC
Main PID: 9677 (code=exited, status=0/SUCCESS)

Feb 18 19:34:49 Reksio systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 18 19:36:19 Reksio systemd[1]: firewalld.service: Start operation timed out. Terminating.
Feb 18 19:36:21 Reksio systemd[1]: Failed to start firewalld - dynamic firewall daemon.
Feb 18 19:36:21 Reksio systemd[1]: firewalld.service: Unit entered failed state.
Feb 18 19:36:21 Reksio systemd[1]: firewalld.service: Failed with result 'timeout'.


Someone told me to run
Code:
sudo /usr/sbin/firewalld --nofork --nopid --debug 10
and it seems like it cannot go through:

DEBUG1: config.GetAll('org.fedoraproject.FirewallD1.config')


In anyone has any idea what's the problem and how to resolve it, I'd be super happy to hear you out. I couldn't find any solution for it on the internet, although people seem to have many other problems with firewalld.
If anything, are you using firewalld or iptables (or something else)?


Thanks!
 
Old 02-19-2017, 03:55 AM   #2
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,587

Rep: Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507Reputation: 3507
If it's running, why are you attempting to start it ?.
 
Old 02-19-2017, 04:27 AM   #3
Reksio
Member
 
Registered: Mar 2016
Location: 127.0.0.1
Distribution: Fedora, CentOS, RHEL
Posts: 34

Original Poster
Rep: Reputation: Disabled
Well, please correct me if I'm wrong, but when I do
Code:
sudo systemctl status firewalld.service
and I get the response as mentioned above with "Active: failed (Result: timeout)" doesn't it mean that the firewall actually fails to run? That's why I was trying to start it
 
Old 02-19-2017, 09:01 PM   #4
Doug G
Member
 
Registered: Jul 2013
Posts: 749

Rep: Reputation: Disabled
systemctl status firewalld should return active: (running)... ,at least it does on all my fedora 25 machines (3)

Perhaps you have some network problem causing the firewall to fail to start? Just guessing.
 
Old 02-20-2017, 06:28 AM   #5
Jjanel
Member
 
Registered: Jun 2016
Distribution: any&all, in VBox; Ol'UnixCLI; NO GUI resources
Posts: 999
Blog Entries: 12

Rep: Reputation: 363Reputation: 363Reputation: 363Reputation: 363
I'm interested in -learning- about all this too. I tried:
# /usr/sbin/firewalld --nofork --nopid --debug 10 >zzz 2>&1 &
but it 'killed' my CentOS7 (hung terminal & can't login) (note I added >...&)

There's a 'pile' of web-search results, for some of your messages, like:
http://reddit.com/r/sysadmin/comment...d_and_iptables
but I didn't pinpoint anything (that I understood, anyway).

Two thoughts on how to proceed: dig thru those web-search results, to post info from
additional 'debug info' commands, which might hopefully uncover more 'clues',
and/or: provide a 'cookbook/exact' way for others to reproduce this situation.
(this is similar to 'bug reports', where they ask for -all- 'necessary' info/steps
to -reproduce- the problem; then, it's easily resolved!)

Best wishes...looking forward to more on this (and advice from LQgurus ).
 
Old 02-20-2017, 07:01 AM   #6
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
just to check, you haven't installed the iptables.service package? That will conflict with firewalld if you have.
 
1 members found this post helpful.
Old 02-20-2017, 02:57 PM   #7
Reksio
Member
 
Registered: Mar 2016
Location: 127.0.0.1
Distribution: Fedora, CentOS, RHEL
Posts: 34

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Jjanel View Post
There's a 'pile' of web-search results, for some of your messages, like:
http://reddit.com/r/sysadmin/comment...d_and_iptables
but I didn't pinpoint anything (that I understood, anyway).
Thanks for the link. I tried following some of their ideas, and I did what user R3D3MPT1ON said:

Code:
$ systemctl unmask iptables $ systemctl enable iptables $ systemctl start iptables
I also tried to unmask and enable firewalld in case I accidentally disabled it at some point, but when I write

Code:
systemctl start firewalld
I still see the same thing:

Job for firewalld.service failed because a timeout was exceeded.
See "systemctl status firewalld.service" and "journalctl -xe" for details.

And "firewalld.service" status still points to a failure due to a timeout.


Quote:
Originally Posted by Jjanel View Post
Two thoughts on how to proceed: dig thru those web-search results, to post info from
additional 'debug info' commands, which might hopefully uncover more 'clues',
and/or: provide a 'cookbook/exact' way for others to reproduce this situation.
(this is similar to 'bug reports', where they ask for -all- 'necessary' info/steps
to -reproduce- the problem; then, it's easily resolved!)
I am going through some of the web searches and it seems some people have a problem that firewalld's debug freezes at "cockpit" but so far I did not find anything that could resolve my issue. And sure, I can post an exact way of what I did if that's going to help



Quote:
Originally Posted by r3sistance View Post
just to check, you haven't installed the iptables.service package? That will conflict with firewalld if you have.
I went through my bash history and yes, I did install iptables.service. But, I just uninstalled iptables-services to try and start firewalld without iptables.services, and I still have the same message: "Job for firewalld.service failed because a timeout was exceeded"
 
Old 02-20-2017, 03:29 PM   #8
Reksio
Member
 
Registered: Mar 2016
Location: 127.0.0.1
Distribution: Fedora, CentOS, RHEL
Posts: 34

Original Poster
Rep: Reputation: Disabled
r3sistance, thank you so much for your comment! I overreacted a bit and input
Code:
sudo dnf remove iptables
I'm sure this is not exactly a smart thing to do, as it removed 159 packages... but I manually reinstalled most of them, leaving only iptables-services out and now when I say

Code:
sudo systemctl enable firewalld.service
sudo systemctl start firewalld.service
sudo systemctl status firewalld.service
It actually says

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Mon 2017-02-20 13:20:04 PST; 2min 32s ago
Docs: man:firewalld(1)
Main PID: 907 (firewalld)
CGroup: /system.slice/firewalld.service
└─907 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Feb 20 13:20:03 Reksio systemd[1]: Starting firewalld - dynamic firewall daemon.
Feb 20 13:20:04 Reksio systemd[1]: Started firewalld - dynamic firewall daemon.


So I think I not only installed iptables-services but also when I removed them I did something wrong and they were still interrupting firewalld.
Thanks again

Last edited by Reksio; 02-20-2017 at 03:31 PM. Reason: The green color is just hard to read, removing the color to make it easier
 
Old 02-20-2017, 03:30 PM   #9
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
did you check if the service was running before you uninstalled it? I am not sure if uninstalling it actually stops the service and so you maybe to check systemctl to see if it still appears.

I am not familiar with DNF but as a branch of yum, there is always the history rollback option if you want to make sure you get everything back. Unless you used that already, that is also a command to be careful with tho.

Last edited by r3sistance; 02-20-2017 at 03:37 PM.
 
Old 02-20-2017, 03:44 PM   #10
Reksio
Member
 
Registered: Mar 2016
Location: 127.0.0.1
Distribution: Fedora, CentOS, RHEL
Posts: 34

Original Poster
Rep: Reputation: Disabled
Quote:
did you check if the service was running before you uninstalled it? I am not sure if uninstalling it actually stops the service and so you maybe to check systemctl to see if it still appears.
Unless something changed since yesterday, it was running but I didn't check it today. And I would expect it to stop running after being uninstalled... but I'm not sure to be honest
 
Old 02-20-2017, 03:47 PM   #11
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by Reksio View Post
Unless something changed since yesterday, it was running but I didn't check it today. And I would expect it to stop running after being uninstalled... but I'm not sure to be honest
Well if you got firewalld running now, then it isn't as they'd conflict over trying to control the same kernel module.
 
Old 02-20-2017, 03:58 PM   #12
Reksio
Member
 
Registered: Mar 2016
Location: 127.0.0.1
Distribution: Fedora, CentOS, RHEL
Posts: 34

Original Poster
Rep: Reputation: Disabled
Well now firewalld is running but iptables-services is not installed and when I'm trying to check the status
Code:
 systemctl status iptables.service
It tells me that: "Unit iptables.service could not be found."
So my guess is they were conflicting before but now iptables.service is not running anymore
 
  


Reply

Tags
config, error, firewall, firewalld, timeout


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewalld NAT configuration Fedora 23 ChronicUser Linux - Networking 3 07-11-2016 11:20 AM
IP Masquerading on Fedora 21 using Firewalld djgerbavore Linux - Networking 4 04-01-2015 07:56 PM
Fedora 18 firewalld specify source ip vonedaddy Fedora 2 06-18-2013 12:49 AM
LXer: Fedora 18 and Firewalld LXer Syndicated Linux News 0 09-20-2012 05:50 AM
[SOLVED] firewalld status? (Fedora gurus might know this) serafean Linux - Software 3 12-07-2011 02:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration