Fedora Linux 18: firewalld Blocking All Ports After firewall-cmd --enable
FirewallD is very new, and as such it's going to take some time to get accustomed to.
You can begin by reading the Fedora wiki page on FirewallD, which has a complete list of its command line options/usage.
My best guess on what happened is that you accidentally put the firewall in panic mode, where it blocks all network connections. This is based on the fact that the only option to firewall-cmd
which begins with --enable
is --enable-panic
. You will have to go to the server console or remote into the server's OOB management interface (iLO, DRAC, IPMI) to recover from this.
The correct way to add a service is with --add-service
or --add-port
.
@mattdm notes in a comment below that a bug has been filed against FirewallD for exactly this behavior. The bug appears to have been fixed, by removing the options --enable-panic
and --disable-panic
and replacing them with --panic-on
and --panic-off
. This has been committed and will appear in a future release.
Related videos on Youtube
tiredone
Updated on September 18, 2022Comments
-
tiredone almost 2 years
In an attempt to gain VNC access to a remote box I threw this silly command at its firewalld over ssh i.e.
$ firewall-cmd --enable 5903:tcp
Now I cannot ssh, ping or curl the server. Whoops.
Can anybody explain what has caused this to happen? I mean surely --enable on its own would enable the firewall and its default rules (i.e. ssh access being one of them) right? As you can probably tell I didn't read the manual- fundamental human error. Also note I ran the command as a normal user, not as root or via sudo. Thanks all :(
-
tiredone over 11 yearsI ran an intensive zenmap (nmap) scan on the host, it comes back as host down. This means somehow, the above command killed off networkd or probably segfaulted the machine. I'll look into this some more later and attempt to give more insight as to what is going on for a clearer question.
-
tiredone over 11 yearsJust to confirm. The firewall was indeed put into panic mode by the issued command. So note well that --enable == --enable-panic! To disable the mode you either issue --disable or --disable-panic to firewall-cmd.
-
-
tiredone over 11 yearsThank you, panic sounds v.likely. I'll make a note to read the wiki through. The alternative access options sound nice since the server is far away from me. Again much appreciated... I am totally in for it now though!
-
Michael Hampton over 11 yearsAny data center that isn't horribly low budget should offer you remote console access via one of these methods, either included or as a small additional charge.
-
mattdm over 11 yearsThis is totally it. I filed a bug about this a few months ago, at bugzilla.redhat.com/show_bug.cgi?id=874912
-
Ross almost 11 yearsTo add to the answer's last line, here is the actual syntax for a given tcp port and in public zone: sudo firewall-cmd --zone=public --add-port=3310/tcp