I'm trying to add ftp service to firewalld, and every time I run firewall-cmd --add-service=ftp (this is with out the permanent flag) I get Error: COMMAND_FAILED.
If I run firewall-cmd --permanent --add-service=ftp (this is with the permanent flag), it returns success.
However after I reload the service I can't connect via ssh until I disable firewalld over rescue mode.
I'm not trying to open ssh's port. I'm just stating that I lose access to the server after running firewall-cmd --permanent --add-service=ftp and then reload with firewall-cmd --reload.
Best Answer
Indeed this happens with grs kernel on Centos 7. Actually, your question includes the answer. In order to eliminate the problem you need to avoid using the command
firewall-cmd --permanent --zone=public --add-service=ftpwhen opening firewalld ports, or remove it if it is already there withfirewall-cmd --permanent --remove-service=ftp. This solves the issue!You can use the command
firewall-cmd --permanent --zone=public --add-port=21/tcpthough, so you can have port 21 open if you want.The explanation is that firewalld tries to load the nf_conntrack_ftp kernel module, even when module support is disabled, and in grs kernel this module is disabled indeed.
I can guess that even if you don't use a grs kernel, you have the nf_conntrack_ftp kernel module disabled. If you reverse this reasoning, you could enable this module, but I am not sure if you can, and I have not tried this solution that looks obvious to me.
This also solves the problem of being locked out after
firewall-cmd --reloadwhen service=ftp is added in firewalld, which in fact is the problem I had with the grs kernel.