I am new to Centos 7/Server management. I am trying to figure out how to work with firewalld. my kernel release is: 2.6.32-042stab084.20(OpenVZ)
And:
#firewall-cmd --version
#0.3.9
The problem is I can't get any functionality out of firewall-cmd. Here is some of commands I have tried:
# systemctl status firewalld -l
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since ...;
Main PID: 120
CGroup: /system.slice/firewalld.service
└─120 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
systemd[1]: Starting firewalld - dynamic firewall daemon...
systemd[1]: Started firewalld - dynamic firewall daemon.
firewalld[120]: ERROR: ebtables not usable, disabling ethernet bridge firewall.
firewalld[120]: ERROR: INVALID_ZONE
It seems that firewalld is running, and actually it is doing its job as a firewall. but when I try to use firewall-cmd:
# firewall-cmd --state
not running
#firewall-cmd --get-zones
#[nothing happens]
#firewall-cmd --reload
[X]Server crashed and I had to request a reboot!
I have installed fail2ban and it works by adding IPs to banned list which I can view by: iptables -L -n.
# iptables -V
#iptables v1.4.21
# iptables -nvL
Chain INPUT (policy ACCEPT 798 packets, 89141 bytes)
pkts bytes target prot opt in out source destination
76260 14M f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
69823 14M f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 725 packets, 113K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES_SOURCE (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (0 references)
pkts bytes target prot opt in out source destination
Chain f2b-SSH (1 references)
pkts bytes target prot opt in out source destination
17 1060 REJECT all -- * * 111.222.333.444 0.0.0.0/0 reject-with icmp-port-unreachable
...
...
But now I want to open a specific port for an application and I can't use firewall-cmd. So what can I do?
- P.S: The reason I changed my firewall client to firewalld and disabled iptables service was that fail2ban didn't work with iptables. It just sat there and did nothing.But that's another problem!
Best Answer
The problem is you're using OpenVZ. OpenVZ is running a 2.6 kernel which does not have the capabilities that the firewalld daemon relies upon and all of the systemd changes are backported into sysvinit for OpenVZ.