-1

I've two machines, server1 and server2. On server2, I stop firewalld.

[root@server2 ~]# systemctl stop firewalld

From server1, nmap returns Host is up.

[root@server1 ~]$ nmap -sn server2

Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:27 CDT
Nmap scan report for server2 (10.17.45.13)
Host is up (0.00045s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds

I enable firewalld on server2.

[root@server2 ~]# systemctl start firewalld

From server1, nmap returns Host seems down, thus something with firewalld on server2 is causing nmap to return Host seems down.

[root@server1 ~]$ nmap -sn server2

Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 11:29 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.01 seconds

From server1, ping/echo/ICMP works.

[root@server1 ~]$ ping -c4 server2
PING server2 (10.17.45.13) 56(84) bytes of data.
64 bytes from server2 (10.17.45.13): icmp_seq=1 ttl=64 time=0.436 ms
64 bytes from server2 (10.17.45.13): icmp_seq=2 ttl=64 time=0.388 ms
64 bytes from server2 (10.17.45.13): icmp_seq=3 ttl=64 time=0.338 ms
64 bytes from server2 (10.17.45.13): icmp_seq=4 ttl=64 time=0.390 ms

--- server2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.338/0.388/0.436/0.034 ms

Here are the firewalld settings for the public and drop zones on server2. icmp-block is empty meaning no ICMP types are being blocked, and icmp-block-inversion is set to no to allow all IMCP traffic.

[root@server2 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno16777984
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@server2 ~]# firewall-cmd --zone=drop --list-all
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

/var/log/firewalld is not logging anything for when nmap returns Host seems down.

JeremyCanfield
  • 373
  • 2
  • 9
  • 17
  • I don't know firewalld, but try to see the real iptables rules in place : iptables -L -nv. You may see that there is a filtering on INPUT which is not logged. – Dom Sep 02 '20 at 14:22
  • What is your Linux distribution and version? – Michael Hampton Sep 02 '20 at 15:43
  • @Dom - good thinking, but alas, we've iptables stopped and disabled (`systemctl stop iptables`, `systemctl disable iptables`) across all servers. – JeremyCanfield Sep 02 '20 at 17:57
  • @MichaelHampton - Both server1 and server2 are CentOS 7. Here is the output of `uname -a` -> Linux server1 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux – JeremyCanfield Sep 02 '20 at 17:58
  • Firewallcmd is a frontend for iptables. So you always can run the system command to look at the kernel state. You need to disable the old iptables to not have collision between both managers. – Dom Sep 02 '20 at 17:59
  • Please post the information that @Dom asked for. – Michael Hampton Sep 02 '20 at 18:00
  • @Dom - That's fascinating that firewalld fronts iptables. With this intel in mind, I was able to resolve this by issuing `iptables -F` on server2. If you want to post this up as an answer, I would be more than happy to upvote and accept as answer. – JeremyCanfield Sep 03 '20 at 10:06

1 Answers1

1

I don't know firewallcmd, but all the filtering in Linux is done by iptables. So, firewallcmd (like ufw and others) is a front-end for iptables.

You can always check the active rules in the kernel by the command : iptables -L -nv, even you completely disable iptables service (as the firewall is managed by firewallcmd). If you don't disable the iptables service (or netfilter-persistent on Debian), you may have a collision between two managers.

Dom
  • 6,628
  • 1
  • 19
  • 24