On 20-09-15 17:19, Bjarne Saltbaek wrote: > Hi, > > > On 20-09-2015 12:28, Jacco Ligthart wrote: >>> Fair point, but I thought ssh port is open by default. >> correct, if you configure firewalld. This is done normally somewhere in >> anaconda ... >> I think anaconda does something like: >> /usr/bin/firewall-offline-cmd--enabled--service=ssh >> (with optional extra ports, services, etc depending on user input) >> >> I am now testing if we could get this to work in a rbf post install >> script, but for now the firewall does not seem to work at all :( >> I keep getting "ERROR: INVALID_ZONE" >> >> Has anybody got their firewalld up and running? >> >> > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html > https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-centos-7-servers > > |sudo firewall-cmd --permanent --add-service=ssh > ? > > (and check with "|||sudo firewall-cmd --list-all" )||
|I found the same documentation, and fiddled a bit with the commands, but it all seem not to work: [root@rpi2 ~]# firewall-cmd --permanent --add-service=ssh FirewallD is not running [root@rpi2 ~]# service firewalld start Redirecting to /bin/systemctl start firewalld.service [root@rpi2 ~]# firewall-cmd --permanent --add-service=ssh Error: INVALID_ZONE [root@rpi2 ~]# firewall-cmd --list-all Error: INVALID_ZONE [root@rpi2 ~]# firewall-cmd --permanent --zone=public --add-interface=eth0 Error: INVALID_ZONE: public [root@rpi2 ~]# firewall-cmd --permanent --new-zone=public success [root@rpi2 ~]# firewall-cmd --list-all Error: INVALID_ZONE (this is all on a fresh install of today, seconds after "yum install firewalld") I wonder where it breaks, is there some kernel dependency that does not work any more now that I'm on 4.1.6 vs 3.10 for upstream? Does it miss the selinux stuff? is there some silent dependency missing? somehow it looks like the files get writen OK, but firewalld seems not to be able te read them again??? for instance: [root@rpi2 ~]# firewall-offline-cmd --enabled --service=ssh Adding service 'ssh' to default zone. success [root@rpi2 ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <service name="ssh"/> </zone> [root@rpi2 ~]# firewall-cmd --list-all Error: INVALID_ZONE Anyway, I wondered if somebody else had it working, maybe on another device, with another kernel, etc. Jacco |
_______________________________________________ users mailing list [email protected] http://lists.redsleeve.org/mailman/listinfo/users
