OPENSUSE 15.2 firewall rule not retain after a reboot require firewall-cmd --reload to work

I have a SUSE 15.2 operating system. I setup a rich-rules to deny icmp ping from the external network.
firewall-cmd --add-rich-rule=‘rule protocol value=icmp reject’ --permanent --zone=dmz

When the machine is reboot, I had to run the command “firewall-cmd --reload” for the rich-rules to be enforce again.

On OPENSUSE 15.4 and 15.5, the rich-rules was enforced if the machine is rebooted.

Looking for anyone know of a workaround or if this is a bug in 15.2 and fixed in 15.4 or 15.4 firewalld.

Hello and welcome to the forums.

I hope you are aware of the fact that 15.2 and even 15.4 are out of support for some time already. Thus not many people will have such a system available to try and reproduce your problem. They have to depend complete on their memory and look back three/four years and try to remember what software was used in those times.

@waynedinh Hi, Looking at Leap 15.6 changelog I see;

rpm -q firewalld --changelog | grep "rich"
....
* firewall.core.io.zone: Fix permanent rich rules using icmp-type (rh#1434594)
....

I suspect that entry is not present when running that command on Leap 15.2.

Hello Macolm,
I used icmp (ping) rule as an example. On SUSE 15.2, if I setup any rich-rules on this OS 15.2, the rule does not enforce after a reboot. If I run the command to add rich-rules for “ssh” service, this service can still be accessible remotely until I ran the command “firewall-cmd --reload”.

On SUSE 15.4 and 15.5, it enforced the rich-rules after a reboot.

@waynedinh I meant the rpm command to look at the changelog on Leap 15.2.

You need to patch and rebuild firewalld https://bugzilla.redhat.com/show_bug.cgi?id=1434594

Looking at the commit, editing zone.py may be enough…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.