The Problem
We have opened a new port or added a service in firewalld fail without error. In the server, port 80 is opened as per below output:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: cockpit dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
But when trying to connect from another host, below error is reported:
$ nc -v [SERVER_IP_ADDRESS] 80 Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: No route to host.
The Solution
By default, the firewalld backend is configured to nftables. Direct rules used by firewalld might impact the way the rules are applied:
Direct rules that ACCEPT packets don’t actually cause the packets to be immediately accepted by the system. Those packets are still subject to firewalld’s nftables ruleset. For direct rules that DROP packets, the packets are immediately dropped. If a general DROP or REJECT rule is configured as the last of direct rules, it will cause all nftables rules to be ignored.
The last line in the following command is one example:
# iptables -vnxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2133 309423 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
27 1620 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
10 524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
93 4740 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
It can also be verified that it is configured in firewalld direct rules:
# grep -B4 INPUT /etc/firewalld/direct.xml <?xml version="1.0" encoding="utf-8"?> <direct> <passthrough ipv="ipv4">-N BareMetalInstanceServices</passthrough> <passthrough ipv="ipv4">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</passthrough> <passthrough ipv="ipv4">-A INPUT -p icmp -j ACCEPT</passthrough> <passthrough ipv="ipv4">-A INPUT -i lo -j ACCEPT</passthrough> <passthrough ipv="ipv4">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</passthrough> <passthrough ipv="ipv4">-A INPUT -j REJECT --reject-with icmp-host-prohibited</passthrough>
Verify if direct rules are really necessary, probably the important rules are already configured in “normal” rules. To completely remove direct rules, remove the file /etc/firewalld/direct.xml.
# mv /etc/firewalld/direct.xml /etc/firewalld/direct.xml_bck
If direct rules are needed, remove the last resource rule, with REJECT, in the direct rules and configure it in nftables/firewalld.