-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2023-04-29 at 16:36 +0300, Andrei Borzenkov wrote:
On 29.04.2023 15:25, Carlos E. R. wrote:
On 2023-04-29 13:44, Andrei Borzenkov wrote:
On 29.04.2023 14:42, Carlos E. R. wrote:
On 2023-04-29 13:25, Andrei Borzenkov wrote:
On 29.04.2023 12:57, Carlos E. R. wrote:
Damm! It is service name, not protocol value. Wrong copy paste. But the syntax check said nothing! Claims success and fails.
syntax is correct. It also gives warning when (re-)loaded:
Apr 29 14:18:55 uefi firewalld[1959]: WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept Apr 29 14:18:55 uefi firewalld[1959]: WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept
Where is that warning printed? Not in the terminal where I typed the command.
Which command? You never told us.
No? I see it:
# firewall-cmd --check-config && firewall-cmd --reload && date --rfc-3339=ns
I do not post it on every mail, because it is always the same.
firewall-cmd is a frontend to firewalld and just forwards request to firewalld. Real work is performed by firewalld and any diagnostic is written to its log file.
Ah.
The first place where one looks for logs of system service today is journal. If you also micromanaged your log files and instead of using journal are forwarding logs to a lot of different places - then you should know where they are.
I have both syslog and journal running, and yes, I customize rsyslogd log files. But as I have only worked with firewalld this week, I doubt I created /var/log/firewalld myself. Checking: Isengard:/var/lib/named # grep firewalld /etc/rsyslog.conf Isengard:/var/lib/named # Isengard:/var/lib/named # grep firewalld /etc/rsyslog.d/* Isengard:/var/lib/named # So I did not. So where is that file configured? Isengard:/var/lib/named # grep -r /var/log/firewalld /etc/firewalld/* Isengard:/var/lib/named # Isengard:/var/lib/named # grep -r log /etc/firewalld/* /etc/firewalld/firewalld.conf:# Add logging rules right before reject and drop rules in the INPUT, FORWARD /etc/firewalld/firewalld.conf.old:# Add logging rules right before reject and drop rules in the INPUT, FORWARD /etc/firewalld/zones/external.xml.202304291206: <service name="syslog"/> /etc/firewalld/zones/external.xml: <service name="syslog"/> Isengard:/var/lib/named # No... Isengard:/var/lib/named # systemctl cat firewalld.service # /usr/lib/systemd/system/firewalld.service [Unit] Description=firewalld - dynamic firewall daemon Before=network-pre.target Wants=network-pre.target After=dbus.service After=polkit.service Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service Documentation=man:firewalld(1) [Service] EnvironmentFile=-/etc/sysconfig/firewalld ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS ExecReload=/bin/kill -HUP $MAINPID # supress to log debug and error output also to /var/log/messages StandardOutput=null StandardError=null Type=dbus BusName=org.fedoraproject.FirewallD1 KillMode=mixed [Install] WantedBy=multi-user.target Alias=dbus-org.fedoraproject.FirewallD1.service Isengard:/var/lib/named # No... but found a new config file. Isengard:/var/lib/named # cat /etc/sysconfig/firewalld # firewalld command line args # possible values: --debug FIREWALLD_ARGS= Isengard:/var/lib/named # Sorry, nothing found. It is not my doing. "man firewald" does mention it. So it is hardcoded, and bypasses both journal and syslog. HA! :-o --debug[=level] Set the debug level for firewalld to level. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file /var/log/firewalld. (it is the only line mentioning it)
firewalld does not have provision to return detailed messages back as response to D-Bus request. Which really is not different from what happens with systemctl - status from systemctl only tells you whether request was successfully submitted, not whether service succeeded at the end.
Ok...
If you want to check configuration and see diagnostic, use firewall-offline-cmd
uefi:/etc/firewalld # firewall-offline-cmd --check-config WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept uefi:/etc/firewalld #
Granted, it still returns 0 even if there were warnings. If you think it should be improved, you need to submit an issue on firewalld project.
Nay, I'll content myself on knowing how it acts. I have too many things to cook. I was doing: # firewall-cmd --check-config && firewall-cmd --reload && tail /var/log/firewalld && date --rfc-3339=ns I'll add your sugggestion. Although the "&&" will not act if the output is always zero. Isengard:/etc/firewalld/zones # firewall-cmd --check-config && firewall-offline-cmd --check-config && firewall-cmd --reload && tail /var/log/firewalld && date --rfc-3339=ns success success 2023-04-29 00:22:42 WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept 2023-04-29 00:22:42 WARNING: INVALID_PROTOCOL: syslog: rule family="ipv4" source address="192.168.1.0/24" protocol value="syslog" accept 2023-04-29 00:22:45 WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept 2023-04-29 00:22:45 WARNING: INVALID_PROTOCOL: syslog: rule family="ipv4" source address="192.168.1.0/24" protocol value="syslog" accept 2023-04-29 00:22:47 WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept 2023-04-29 00:22:47 WARNING: INVALID_PROTOCOL: syslog: rule family="ipv4" source address="192.168.1.0/24" protocol value="syslog" accept 2023-04-29 00:31:27 WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept 2023-04-29 00:31:27 WARNING: INVALID_PROTOCOL: syslog: rule family="ipv4" source address="192.168.1.0/24" protocol value="syslog" accept 2023-04-29 00:34:37 WARNING: INVALID_PROTOCOL: samba: rule family="ipv4" source address="192.168.0.0/16" protocol value="samba" accept 2023-04-29 00:34:37 WARNING: INVALID_PROTOCOL: syslog: rule family="ipv4" source address="192.168.1.0/24" protocol value="syslog" accept 2023-04-29 19:13:44.300664051+02:00 Isengard:/etc/firewalld/zones # Those are the old errors. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZE1R8Rwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVt7IAn3LhZEo9h4VgWAgh/00u XNmtj9mtAJ9l+qyJJUep9H55dxQF+yETd1Z0/g== =48i6 -----END PGP SIGNATURE-----