Firewalld Rules – How to Save Firewalld Rules with –permanent

firewalld

I just installed Fedora 23 Server. I have a single zone created by default:

# firewall-cmd --get-active-zones
FedoraServer
  interfaces: eth0

If I add a service to this zone, it works fine:

# firewall-cmd --zone=FedoraServer --add-service=http
success

# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client http ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

But it is lost when running firewall-cmd --reload.

If I try to make it permanent as suggested in this answer, I get the following error:

# firewall-cmd --zone=FedoraServer --add-service=http --permanent
Error: INVALID_SERVICE: 'cockpit' not among existing services

I'm surprised as this is a fresh installation from an OVH template.

How to work around this error?

Best Answer

As suggested by Michael Hampton in the comments, this seems to be specific to the OVH Fedora 23 Server template.

I searched for cockpit in /etc, and found the following file:

/etc/firewalld/zones/FedoraServer.xml

Which contains the following lines:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
</zone>

I removed this line and saved the file:

<service name="cockpit"/>

And it now works!

They basically seem to have added a default service to firewalld, that is not installed in their template.

Best Answer

Related Solutions

Centos – firewalld port forwarding not working in centOS

Docker and Firewalld – How to Use Docker with Firewalld

Related Topic