0

I have a CentOS server that I recently ran yum-update on and the only update was to centos-release. I applied the update and ever since FirewallD has been throwing errors.

I uninstalled and reinstalled the package thinking I may have just broken the configuration, but now any time I try and start FirewallD with the service command I am told the service failed and given the following output

Dec 17 15:54:57 DMZ01 systemd[1]: Starting firewalld - dynamic firewall daemon...
-- Subject: Unit firewalld.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit firewalld.service has begun starting up.
Dec 17 15:54:57 DMZ01 systemd[1]: firewalld.service: main process exited, code=exited, status=1/FAILURE
Dec 17 15:54:57 DMZ01 systemd[1]: Failed to start firewalld - dynamic firewall daemon.
-- Subject: Unit firewalld.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit firewalld.service has failed.
-- 
-- The result is failed.
Dec 17 15:54:57 DMZ01 systemd[1]: Unit firewalld.service entered failed state.
Dec 17 15:54:57 DMZ01 systemd[1]: firewalld.service failed.

Running any firewall-cmd commands simply tells me Firewalld is not running.

The results of cat /etc/centor-release is : CentOS Linux release 7.9.2009 (Core)

Running the firewalld command with the --debug argument immediately terminates my connection to the server and locks all incoming connections out. I have to manually restart the server in order to regain entry.

The output of the debug command dumps to /var/log/firewalld and can be viewed here: https://pastebin.com/N81tWkhj

Output of /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone target="default">
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <port protocol="tcp" port="21"/>
  <port protocol="tcp" port="60000-65335"/>
</zone>
Xenology
  • 103
  • 3
  • 1
    The logs you have linked to do not correspond to the attempted start of firewalld shown above. (And really don't show muich useful anyway.) Please show the corresponding logs instead. Also include a copy of `/etc/firewalld/zones/public.xml`. – Michael Hampton Dec 17 '20 at 23:30
  • @MichaelHampton what relevant logs should I include? I've added the contents of the public.xml – Xenology Dec 18 '20 at 01:53
  • You showed firewalld failing to start. Include the firewalld logs corresponding to that specific attempt to start firewalld. – Michael Hampton Dec 18 '20 at 03:49
  • @MichaelHampton its looking like SELinux is what's stopping the firewall service from running on that machine. I'm trying to figure out how to configure the two to work together. – Xenology Dec 23 '20 at 17:39
  • Do you want help with that? You didn't edit your question. – Michael Hampton Dec 23 '20 at 18:37
  • @MichaelHampton What ended up being the culprit was that log files in /var/log had the incorrect SELinux contexts applied. Somewhere in a systems upgrade they all got overwritten, so firewalld was not able to open its log file due to SELinux not thinking it should be able to. After contextualizing the log file permissions correctly in SELinux, I was able to start firewalld. – Xenology Dec 28 '20 at 23:59

0 Answers0