Comment # 8
on bug 1109302
from Thomas Blume
(In reply to Markos Chandras from comment #7)
> Could you post the iptables and nftables rules from that system? Also what
> is the default zone (firewall-cmd --get-default-zone). Wicked does not seem
> to do anything disrupting. If ibft0/1 managed by a wicked ifcfg file? If
> yes, what's the ZONE attribute in it?
Here you go:
-->
kvm133:~ # iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (3 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (3 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (3 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3260
ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3260
ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
--<
-->
kvm133:~ # nft list ruleset
kvm133:~ #
--<
-->
kvm133:~ # firewall-cmd --get-default-zone
public
--<
My network devices are:
-->
kvm133:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 52:54:00:97:81:9e brd ff:ff:ff:ff:ff:ff
inet 192.168.57.133/24 brd 192.168.57.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe97:819e/64 scope link
valid_lft forever preferred_lft forever
3: ibft0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 52:54:00:be:37:42 brd ff:ff:ff:ff:ff:ff
inet6 2620:113:80c0:8080:10:160:68:246/64 scope global dynamic
valid_lft 10363sec preferred_lft 10363sec
inet6 2620:113:80c0:8080:35a3:8667:afe0:652e/64 scope global temporary
dynamic
valid_lft 3234sec preferred_lft 1434sec
inet6 2620:113:80c0:8080:5054:ff:febe:3742/64 scope global dynamic
mngtmpaddr
valid_lft 3234sec preferred_lft 1434sec
inet6 fe80::5054:ff:febe:3742/64 scope link
valid_lft forever preferred_lft forever
4: ibft1: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group
default qlen 1000
link/ether 52:54:00:dd:ca:2c brd ff:ff:ff:ff:ff:ff
inet6 2620:113:80c0:8000:c::7ea/64 scope global dynamic
valid_lft 13963sec preferred_lft 8563sec
inet6 fe80::5054:ff:fedd:ca2c/64 scope link
valid_lft forever preferred_lft forever
--<
There are no config files for the ibft devices:
-->
kvm133:~ # ls -l /etc/sysconfig/network/
insgesamt 60
drwxr-xr-x 1 root root 60 18. Sep 14:47 bck
-rw-r--r-- 1 root root 9692 17. Sep 17:29 config
-rw-r--r-- 1 root root 13381 17. Sep 17:29 dhcp
-rw-r--r-- 1 root root 179 19. Sep 14:55 ifcfg-ens3
-rw------- 1 root root 147 17. Sep 17:29 ifcfg-lo
-rw-r--r-- 1 root root 21738 9. Jun 08:26 ifcfg.template
drwxr-xr-x 1 root root 40 17. Sep 17:27 if-down.d
drwxr-xr-x 1 root root 40 17. Sep 17:27 if-up.d
drwx------ 1 root root 0 25. Mai 22:22 providers
drwxr-xr-x 1 root root 164 17. Sep 17:27 scripts
--<