firewalld - RT_TO_PERM_FAILED
2023-05-01 17:45:41 ERROR: ZONE_CONFLICT: eth1 2023-05-01 17:45:41 WARNING: Runtime To Permanent failed on zone 'external': org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: eth1 2023-05-01 17:45:42 ERROR: RT_TO_PERM_FAILED That is as far as I got with migrating Carlos' SFW2 setup. Trying to debug the iptables rules to spot what might be wrong - well, a little overwhelming, particularly because I am not familiar with firewalld's setup. -- Per Jessen, Zürich (16.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 01.05.2023 19:09, Per Jessen wrote:
2023-05-01 17:45:41 ERROR: ZONE_CONFLICT: eth1 2023-05-01 17:45:41 WARNING: Runtime To Permanent failed on zone 'external': org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: eth1
It means that interface is bound to multiple zones (i.e. listed as belonging to multiple zones).
2023-05-01 17:45:42 ERROR: RT_TO_PERM_FAILED
That is as far as I got with migrating Carlos' SFW2 setup. Trying to debug the iptables rules to spot what might be wrong - well, a little overwhelming, particularly because I am not familiar with firewalld's setup.
You will not see it in iptables rules, it is pure firewalld configuration.
Andrei Borzenkov wrote:
On 01.05.2023 19:09, Per Jessen wrote:
2023-05-01 17:45:41 ERROR: ZONE_CONFLICT: eth1 2023-05-01 17:45:41 WARNING: Runtime To Permanent failed on zone 'external': org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: eth1
It means that interface is bound to multiple zones (i.e. listed as belonging to multiple zones).
2023-05-01 17:45:42 ERROR: RT_TO_PERM_FAILED
That is as far as I got with migrating Carlos' SFW2 setup. Trying to debug the iptables rules to spot what might be wrong - well, a little overwhelming, particularly because I am not familiar with firewalld's setup.
You will not see it in iptables rules, it is pure firewalld configuration.
Ah. Okay, thanks for that hint - that ought to be easier to debug. I'm surprised Carlos' conversion didn't hit this ..... -- Per Jessen, Zürich (12.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Per Jessen wrote:
Andrei Borzenkov wrote:
You will not see it in iptables rules, it is pure firewalld configuration.
Ah. Okay, thanks for that hint - that ought to be easier to debug. I'm surprised Carlos' conversion didn't hit this .....
Slight surprise this morning - I re-enabled firewalld on this test system and rebooted, clean slate. It turns out my '--runtime-to-permanent' did write _some_ firewalld config, although only part of it (smiley with tears running down my cheeks). Time to restart the experiment. -- Per Jessen, Zürich (12.9°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Per Jessen wrote:
Andrei Borzenkov wrote:
On 01.05.2023 19:09, Per Jessen wrote:
2023-05-01 17:45:41 ERROR: ZONE_CONFLICT: eth1 2023-05-01 17:45:41 WARNING: Runtime To Permanent failed on zone 'external': org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: eth1
It means that interface is bound to multiple zones (i.e. listed as belonging to multiple zones).
2023-05-01 17:45:42 ERROR: RT_TO_PERM_FAILED
That is as far as I got with migrating Carlos' SFW2 setup. Trying to debug the iptables rules to spot what might be wrong - well, a little overwhelming, particularly because I am not familiar with firewalld's setup.
You will not see it in iptables rules, it is pure firewalld configuration.
Ah. Okay, thanks for that hint - that ought to be easier to debug. I'm surprised Carlos' conversion didn't hit this .....
The reason there is no mention of 'eth1' - there is only 'eth0' on Carlos' machine, and his sfw2 config is only concerned with 'eth0' (plus some vmnetX). My test machine "janeway" has a few more interfaces, automagically picked up by the conversion script. It seems odd that there should be a conflict, they are all assigned to the one zone 'ext'. Still debugging that one. The ICMP type 4 is enabled by SFW2 by default - it is some kind of congestion control, from years back. It might make sense on an externally facing firewall, but I think it is a bit of a relic. ICMP type 8 is permitted by default, but somehow the conversion doesn't do this right - it ought to permit those two ICMP types, plus ICMP replies, then maybe(!) drop the rest. Adding blocking rules for all the other ICMP types, for each zone, takes forever. Still, by removing some obscure network references, I reduced runtime to 17 minutes :-) -- Per Jessen, Zürich (14.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-05-02 10:34, Per Jessen wrote:
Per Jessen wrote:
Andrei Borzenkov wrote:
On 01.05.2023 19:09, Per Jessen wrote:
2023-05-01 17:45:41 ERROR: ZONE_CONFLICT: eth1 2023-05-01 17:45:41 WARNING: Runtime To Permanent failed on zone 'external': org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: eth1
It means that interface is bound to multiple zones (i.e. listed as belonging to multiple zones).
2023-05-01 17:45:42 ERROR: RT_TO_PERM_FAILED
That is as far as I got with migrating Carlos' SFW2 setup. Trying to debug the iptables rules to spot what might be wrong - well, a little overwhelming, particularly because I am not familiar with firewalld's setup.
You will not see it in iptables rules, it is pure firewalld configuration.
Ah. Okay, thanks for that hint - that ought to be easier to debug. I'm surprised Carlos' conversion didn't hit this .....
The reason there is no mention of 'eth1' - there is only 'eth0' on Carlos' machine, and his sfw2 config is only concerned with 'eth0' (plus some vmnetX). My test machine "janeway" has a few more interfaces, automagically picked up by the conversion script. It seems odd that there should be a conflict, they are all assigned to the one zone 'ext'. Still debugging that one.
Ah. I was wondering were those errors might be coming from. The previous hardware of this computer did have eth0 and eth1, but I never used eth1.
The ICMP type 4 is enabled by SFW2 by default - it is some kind of congestion control, from years back. It might make sense on an externally facing firewall, but I think it is a bit of a relic. ICMP type 8 is permitted by default, but somehow the conversion doesn't do this right - it ought to permit those two ICMP types, plus ICMP replies, then maybe(!) drop the rest. Adding blocking rules for all the other ICMP types, for each zone, takes forever.
Still, by removing some obscure network references, I reduced runtime to 17 minutes :-)
The conversion took about 20 minutes in Isengard, which is a mini pc working as mini server, and something between 3 or 4 minutes in Telcontar, which is a big, powerful machine. The configuration I emailed is from Telcontar. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
participants (3)
-
Andrei Borzenkov -
Carlos E. R. -
Per Jessen