(In reply to Markos Chandras from comment #11) > I just noticed that you are using ipv6 to connect to iscsi target and the > iptables rules we are looking at are just for ipv4. Any chance you paste the > ip6tables -L -v output? I haven't configured any ipv6 rules: --> kvm133:~ # ip6tables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination --< > Could the IPv6_rpfilter=yes option in firewalld.conf possibly affect your > system? > > I also see the following warning > > bridge: filtering via arp/ip/ip6tables is no longer available by default. > Update your scripts to load br_netfilter if you need this. > > maybe worth checking that your initrd loads this module? Ah, looks like you are on the right track. I've enabled LogDenied logging and found this when starting firewalld: --> Okt 02 16:05:30 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64 FLOWLBL=222566 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 Okt 02 16:05:30 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=222566 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 Okt 02 16:05:31 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64 FLOWLBL=150315 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 Okt 02 16:05:31 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=150315 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 Okt 02 16:05:31 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:42:8a:0e:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Okt 02 16:05:32 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64 FLOWLBL=1017940 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 Okt 02 16:05:33 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:42:8a:0e:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Okt 02 16:05:33 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=1017940 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 Okt 02 16:05:35 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:b7:11:14:77:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 Okt 02 16:05:36 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:b7:11:18:64:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 --< So, it is obviously rpfilter that drops it. But if I change the rpfilter setting: --> kvm133:~ # grep IPv6_rpfilter /etc/firewalld/firewalld.conf # IPv6_rpfilter IPv6_rpfilter=no --< I get a nasty error messages are firewalld start: --> Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ebtables -t broute -N BROUTING_direct -P RETURN' failed: Chain BROUTING_direct already exists. Okt 02 16:11:16 kvm133 audit: NETFILTER_CFG table=filter family=7 entries=2 Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ebtables -t filter -X FORWARD_direct -P RETURN' failed: No extra options allowed with -X. Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed --< and the session from where I've started firewalld freezes.