[Bug 1140916] New: firewall does not start correctly
http://bugzilla.suse.com/show_bug.cgi?id=1140916 Bug ID: 1140916 Summary: firewall does not start correctly Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: msuchanek@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 809891 --> http://bugzilla.suse.com/attachment.cgi?id=809891&action=edit iptales-save output before running yast Although I enabled ssh in firewall configuration I cannot connect over ssh. running 'yast2 firewall' and pressing "Accept" enables ssh, rebooting disables ssh -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c1
--- Comment #1 from Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1140916
Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c2
Steffen Winterfeldt
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c3
--- Comment #3 from Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c4
--- Comment #4 from Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c5
Ladislav Slezák
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c6
Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c7
David Diaz
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c8
--- Comment #8 from David Diaz
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c9
--- Comment #9 from David Diaz
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c10
--- Comment #10 from David Diaz
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c11
Michal Suchanek
I also tested it doing the installation with default configuration and then enabling the SSH service in the system and adding it to the `public` zone through yast2-firewall.
I added ssh to 'external' zone because that is what eth0 gets assigned to when running yast2 firewall. However, the default zone is 'public' and eth0 gets assigned to this zone on boot. So the problem is that just running 'yast2 firewall' and pressing 'Accept' reassigns eth0 from 'public' to 'external' zone, and this reassignment does not stick across reboot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c12
Knut Alejandro Anderssen González
(In reply to David Diaz from comment #7)
I also tested it doing the installation with default configuration and then enabling the SSH service in the system and adding it to the `public` zone through yast2-firewall.
I added ssh to 'external' zone because that is what eth0 gets assigned to when running yast2 firewall. However, the default zone is 'public' and eth0 gets assigned to this zone on boot.
It is strange, if the interface does not belongs explicitly to a zone, it will belongs to the default zone. So, saying that YaST assigns it to the external zone by default looks wrong to me but has nothing that confirm that. So, after saving the changes in yast2-firewall, what is the content of ifcfg-eth0? it contains ZONE='public' ? or ZONE= ?
So the problem is that just running 'yast2 firewall' and pressing 'Accept' reassigns eth0 from 'public' to 'external' zone, and this reassignment does not stick across reboot.
According to logs it was correctly assigned to 'external' zone. That is, YaST did: Executing firewall-cmd with ["--permanent", "--zone=external", "--change-interface=eth0"] And also the ZONE was assigned to the ifcfg file: modules/NetworkInterfaces.rb:658 config={"BOOTPROTO"=>"dhcp", "BROADCAST"=>"", "ETHTOOL_OPTIONS"=>"", "IPADDR"=>"", "MTU"=>"", "NAME"=>"", "NETMASK"=>"", "NETWORK"=>"", "REMOTE_IPADDR"=>"", "STARTMODE"=>"auto", "DHCLIENT_SET_DEFAULT_ROUTE"=>"yes", "ZONE"=>"external"} Finally a reload was executed: yast2/systemctl.rb:34 systemctl reload firewalld.service In the next run: External zone is marked as active and it listed correctly the eth0 zone. lib/cheetah.rb:206 Standard output: interfaces: eth0 Then, I do not why and who is assigning it to 'default' during boot. Could you provide content of the ifcfg-file and journal logs (firewalld, wicked...) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c13
--- Comment #13 from Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1140916
http://bugzilla.suse.com/show_bug.cgi?id=1140916#c14
David Diaz
participants (1)
-
bugzilla_noreply@novell.com