Centos – firewalld service is running, but firewall-cmd doesn’t work

centosfirewalldiptablesopenvzserver-crashes

I am new to Centos 7/Server management. I am trying to figure out how to work with firewalld. my kernel release is: 2.6.32-042stab084.20(OpenVZ)

And:

#firewall-cmd --version
#0.3.9

The problem is I can't get any functionality out of firewall-cmd. Here is some of commands I have tried:

# systemctl status firewalld -l
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since ...; 
Main PID: 120
CGroup: /system.slice/firewalld.service
       └─120 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

systemd[1]: Starting firewalld - dynamic firewall daemon...
systemd[1]: Started firewalld - dynamic firewall daemon.
firewalld[120]: ERROR: ebtables not usable, disabling ethernet bridge firewall.
firewalld[120]: ERROR: INVALID_ZONE

It seems that firewalld is running, and actually it is doing its job as a firewall. but when I try to use firewall-cmd:

# firewall-cmd --state
not running
#firewall-cmd --get-zones
#[nothing happens]
#firewall-cmd --reload
[X]Server crashed and I had to request a reboot!

I have installed fail2ban and it works by adding IPs to banned list which I can view by: iptables -L -n.

# iptables -V
#iptables v1.4.21

    # iptables -nvL
    Chain INPUT (policy ACCEPT 798 packets, 89141 bytes)
 pkts bytes target     prot opt in     out     source               destination
76260   14M f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
69823   14M f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 725 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES_SOURCE (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_direct (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-SSH (1 references)
pkts bytes target     prot opt in     out     source               destination
       17  1060 REJECT     all  --  *      *       111.222.333.444      0.0.0.0/0            reject-with icmp-port-unreachable
    ...
    ...

But now I want to open a specific port for an application and I can't use firewall-cmd. So what can I do?

  • P.S: The reason I changed my firewall client to firewalld and disabled iptables service was that fail2ban didn't work with iptables. It just sat there and did nothing.But that's another problem!

Best Answer

The problem is you're using OpenVZ. OpenVZ is running a 2.6 kernel which does not have the capabilities that the firewalld daemon relies upon and all of the systemd changes are backported into sysvinit for OpenVZ.

Related Topic