What disables my firewall?

GazetaCypr · March 6, 2019, 5:25pm

I noticed a strange thing.
I tried to get into YaST->Firewall but I couldn’t.
I checked running services in YaST and firewalld was inactive (dead), even though it should start on boot.
I started this service in YaST but then on other start ups of system it is the same. Firewalld is dead.

Here is some output:

sudo rcfirewalld status

[sudo] password for root:
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:firewalld(1)

sudo /sbin/rcSuSEfirewall2 status

● SuSEfirewall2.service - SuSEfirewall2 phase 2
Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled)
Active: active (exited) since Wed 2019-03-06 16:01:35 CET; 1h 6min ago
Process: 1282 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS)
Main PID: 1282 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/SuSEfirewall2.service

Mar 06 16:01:34 linux-jotu systemd[1]: Starting SuSEfirewall2 phase 2…
Mar 06 16:01:34 linux-jotu SuSEfirewall2[1282]: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
Mar 06 16:01:34 linux-jotu SuSEfirewall2[1282]: using default zone ‘ext’ for interface eth1
Mar 06 16:01:35 linux-jotu SuSEfirewall2[1282]: Firewall rules successfully set
Mar 06 16:01:35 linux-jotu systemd[1]: Started SuSEfirewall2 phase 2.

How to fix it?

tsu2 · March 6, 2019, 5:53pm

firewalld is not the same as SuSEFW2,

firewalld is the default firewall configuration manager today
SuSEFW2 is the old way which is not recommended anymore, but is likely still present for those who still must or want to use the old tool.

When you run the YaST firewall module the first time, it’s supposed to install firewall-config which is the graphical tool to manage firewalld.

To configure a systemd service to start automatically on boot, the service has to be enabled as follows (note in your posted firewalld Unit file that the service is “disabled” by default). And, don’t use “rc” commands anymore, those will still work for services that still have an init configuration, but won’t for others and may disappear eventually (ie if the code is completely re-written)

systemctl enable firewalld.service

HTH,
TSU

dcurtisfra · March 6, 2019, 6:27pm

Please check that, the following packages are installed:

firewalld
firewalld-lang
python3-firewall
yast2-firewall
firewall-config
firewall-macros

Please check that, the following packages are not installed:

SuSEfirewall2
SuSEfirewall2-fail2ban

Please check that the systemd Firewall service is properly enabled:


 > systemctl list-unit-files | grep -i 'firewall'
dbus-org.fedoraproject.FirewallD1.service                        enabled
firewalld.service                                                enabled
 >

Any systemd service which deals with the SuSEfirewall is an indication that, the SuSEfirewall packages have not been cleanly removed …

GazetaCypr · March 7, 2019, 6:26am

Thanks

@tsu2
I did what you said

systemctl enable firewalld.service

but after rebooting it is the same:

systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:firewalld(1)

@dcurtisfra

I do have all those packages.
And here is output

systemctl list-unit-files | grep -i ‘firewall’
dbus-org.fedoraproject.FirewallD1.service enabled
firewalld.service enabled

I just remember that few weeks ago I was installing a Brother printer to print over the network. Maybe it has something to do with it?

tsu2 · March 7, 2019, 6:56am

Post the results of the following

systemctl status firewalld.service

TSU

GazetaCypr · March 7, 2019, 7:42am

Here it is:

systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2019-03-07 07:22:01 CET; 8min ago
Docs: man:firewalld(1)
Main PID: 1133 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─1133 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Mar 07 07:21:53 linux-jotu systemd[1]: Starting firewalld - dynamic firewall daemon…
Mar 07 07:22:01 linux-jotu systemd[1]: Started firewalld - dynamic firewall daemon.

I think it started working - I guess - after removing > SuSEfirewall2 <

tsu2 · March 8, 2019, 2:39am

Yes, but even if SuSEFW2 is installed on your system, as long as you don’t start it up there won’t be a conflict.
Glad to see you’re working now.

TSU