0

I'm doing the pilot for deploying Fedora 20, and despite having external firewall protection, regulations here say I need to have the individual firewalls on every host active.

Now comes that firewalld is the new king here, so I'm learning its ways.

Now I have a cleaned-up list of ports, after declaring a (non-public) default zone and some typical services, plus a specific service it seems to run fine.

However, when applying any change (--permanent mode), and reloading the firewall with:

# firewall-cmd --reload

it takes too much time, in the order of 10+ minutes to finish the command - which ends merrily with "success". The computer is basically unusable during all this time, as there is loss of connectivity.

But after that, it just runs as expected.

Logs are not helpful so far...

Starting/stopping the service works just fine, done within 1~2 seconds, what one could expect.

Is there anything I can be missing/omitting ? How could this annoying behavior be troubleshooted ?

Thanks

David Ramirez
  • 397
  • 2
  • 3
  • 18
  • firewalld is really not ready for prime time. I have been recommending people just install `iptables-services` and use the old ways. – Michael Hampton Apr 08 '14 at 22:47
  • Other computers in my network with the same configuration are reloading just fine (max. 5") - so I guess this may be related with some hanging connection that takes long to time out... investigating... – David Ramirez Apr 14 '14 at 16:55

1 Answers1

1

About troubleshooting, this explains how to enable debugging info in firewalld:

https://lists.fedorahosted.org/pipermail/firewalld-users/2013-February/000049.html

Maybe you could also try a:

# firewall-cmd --complete-reload

from firewall-cmd manpage:

Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.

If the --complete-reload turns out to be faster, could be in favor of your theory of the hanging connection.

Brancomat
  • 21
  • 2