IIRC IPv6 is handled almost entirely separately at kernel level,
including iptables filtering (hence why we have iptables and
ip6tables). All firewalld provides is a wrapper of questionable
value and usefulness that ends up using iptables underneath.
It may be worth checking the iptables/ip6tables rules generated
on an x86 box and what kernel modules are available/loaded to
facilitate it. This should at least give you a reference point
for what is needed, and enable you to look for what's missing
from the Pi kernel you are using.
Gordan
On 2016-01-13 09:55, Neil Townsend wrote:
Sorry for the repeats, I think I've managed to make contact now.
I have done all the checks I can like that. When you start firewalld
up, the kernal loads a pile of modules and, although I'm not an
expert, I couldn't spot anything obvious missing. What I've since
discovered is that if you disable ipv6 in the firewalld conf file that
it works just fine. I can live with this as a work around, but it
clearly isn't a long term solution.
It does seem to be a clash with the kernal (for reference I'm using
4.1.11) - although it's about the Pi2, I found the work around here:
http://seven.centos.org/2015/06/another-proof-of-concept-armv7hl-release-this-one-for-the-raspberry-pi2/
I'm happy to keep digging, but I wondered if anyone knew any more
about the kernal being used and ipv6 things ... or whether this issue
goes away with later releases of firewalld. I can't find much on the
firewalld issue list.
Other than that, massive thanks for a great project. It's been a
delight to start using an EL on my pi.
Neil
On 11/01/2016 16:42, Gordan Bobic wrote:
I'm hardly an authority on firwalld, so take this with a bucket of
salt, but have you checked that all iptables kernel modules are
available in your kernel? It could be that something it tries to
do doesn't succeed because it assumes availability of various
iptables filtering modules.
I usually disable/mask firewalld and use iptables service
instead.
Gordan
On 2016-01-11 15:41, Neil Townsend wrote:
Hi all,
I recently installed RedSleeve 7.0 on a Raspberry Pi B (neither
plus nor 2).
It all seems to work fine, apart from one odd quirk: firewalld
runs, but seems to have issues in that it has zone problems; and
firewall-cmd thinks it isn't running. Here's a sequence of commands
showing that the system is up to date, and what happens when you try
and use firewalld:
[root@freepbx ~]# yum update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
No packages marked for update
[root@freepbx ~]# firewall-cmd --state
not running
[root@freepbx ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
disabled)
Active: inactive (dead)
[root@freepbx ~]# systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service'
'/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service'
'/etc/systemd/system/basic.target.wants/firewalld.service'
[root@freepbx ~]# firewall-cmd --state
not running
[root@freepbx ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
enabled)
Active: inactive (dead)
[root@freepbx ~]# systemctl start firewalld
[root@freepbx ~]# firewall-cmd --state
not running
[root@freepbx ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
enabled)
Active: active (running) since Sun 2016-01-03 14:42:24 UTC; 29s
ago
Main PID: 1768 (firewalld)
CGroup: /system.slice/firewalld.service
ΓΆΓΆ1768 /usr/bin/python -Es /usr/sbin/firewalld --nofork
--nopid
Jan 03 14:42:24 freepbx systemd[1]: Started firewalld - dynamic
firewall daemon.
Jan 03 14:42:30 freepbx firewalld[1768]: 2016-01-03 14:42:30 ERROR:
INVALID_ZONE
[root@freepbx ~]# systemctl stop firewalld
[root@freepbx ~]# systemctl disable firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
In that funny state when it is running (according to systemctl) but
not (according to firewall-cmd), tow things of note:
1. It does seem to be active in that access to the pi is blocked.
2. It claims to have no zones.
The only thing I can see of note is the 'INVALID_ZONE' error in the
above text.
I note that this seems similar to an error reported for firewalld
here (in 0.3.9
http://serverfault.com/questions/673764/firewalld-service-is-running-but-firewall-cmd-doesnt-work
[1]) and also here (in 0.3.5:
https://bugzilla.redhat.com/show_bug.cgi?id=967376 [2]); Redsleeve 7
(and 7.1 and 7.2) seem to run version 0.3.9 from what I can see.
Any ideas?
Thanks,
Neil
Links:
------
[1]
http://mandrillapp.com/track/click/30309418/serverfault.com?p=eyJzIjoiRUVSX0xEYXlpZG81bFF0M25HbEZzbjU1TlVnIiwidiI6MSwicCI6IntcInVcIjozMDMwOTQxOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvc2VydmVyZmF1bHQuY29tXFxcL3F1ZXN0aW9uc1xcXC82NzM3NjRcXFwvZmlyZXdhbGxkLXNlcnZpY2UtaXMtcnVubmluZy1idXQtZmlyZXdhbGwtY21kLWRvZXNudC13b3JrXCIsXCJpZFwiOlwiNDg3Y2FhYzhkODhlNGEzYjg3OTA3ZGM5ZjExYjlmM2VcIixcInVybF9pZHNcIjpbXCI0NGQzMzlhZDNjYWYxNWZmNmRjYmIzOGY4Y2RmNzQ0ODZkYTBlYmZiXCJdfSJ9
[2]
http://mandrillapp.com/track/click/30309418/bugzilla.redhat.com?p=eyJzIjoib2dwLVBtWHlSVk5yb3VEb0NPYWxzOC1aSU84IiwidiI6MSwicCI6IntcInVcIjozMDMwOTQxOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2J1Z3ppbGxhLnJlZGhhdC5jb21cXFwvc2hvd19idWcuY2dpP2lkPTk2NzM3NlwiLFwiaWRcIjpcIjQ4N2NhYWM4ZDg4ZTRhM2I4NzkwN2RjOWYxMWI5ZjNlXCIsXCJ1cmxfaWRzXCI6W1wiMDM1MWQwMzdhZjA5MDIzZjIzN2JkZTcwY2M3OGUxZjJjZjdlMWJiNFwiXX0ifQ
_______________________________________________
users mailing list
[email protected]
https://lists.redsleeve.org/mailman/listinfo/users
_______________________________________________
users mailing list
[email protected]
https://lists.redsleeve.org/mailman/listinfo/users
_______________________________________________
users mailing list
[email protected]
https://lists.redsleeve.org/mailman/listinfo/users
