Ask Your Question

Fedora 25: where is the firewall rule for sshd stored?

asked 2017-04-14 16:05:15 -0500

lovepump gravatar image

Hello all,

I've recently setup a fedora 25 server and I installed the bind-chroot package.

I set up bind over ssh as many folks will.

The name server runs great, zones load and is working: the resolver on the server itself can query the local zone I setup, non-authoritative queries are forwarded to the upstream server and everything is copasetic, until I have another of my machines on my local network try to resolve a name.

The query times out, no servers can be reached. I sniffed the traffic with tcpdump, and the query makes it to the server, which promptly doesn't respond.

If I kill firewalld on the server (ala "systemctl stop firewalld") and then try the query from one of my other local machines again, it works wonderfully! AHA! now I know it is the firewall just dropping the queries from server.

OK! Let us use firewall-cmd or IP tables or whatever to see where the rule for SSHD is stored (because it is working "as packaged") and then explore how to add a rule for local net and dns on port 53, right?

When I use firewall-cmd to explore existing zones and rules there are none. Everything comes back "empty", even the "direct" IPtables access.

OK, so where is the rule for sshd "stored", which I have used to configure the server since it's inception?


edit retag flag offensive close merge delete


let me clarify:

  1. With firewall-cmd there are zones displayed, but no rules. Especially not a rule for sshd (in any zone) which I was looking for.

  2. My sentence regarding where the DNS queries were dropped might be confusing. The server (firewalld) is dropping (dns) queries from local clients. These client queries are answered correctly and immediately when firewalld is "driven out of the picture". I do not want to do this. I want an active firewall that allows local DNS queries.

  3. I want to emphasize this is not a "bind/named/dns configuration problem". It rests solely with firewalld.

lovepump gravatar imagelovepump ( 2017-04-14 17:55:39 -0500 )edit

Assuming firewalldis running, what does the command as follows return? firewall-cmd --info-zone=$(firewall-cmd --get-default-zone). Please add that to your question.

thomaswood gravatar imagethomaswood ( 2017-04-15 03:48:41 -0500 )edit

Ahh - ok I can see ssh listed as a "service" and not a "port".

I had initially tried "firewall-cmd --zone=FedoraServer --list-ports" in all of the available zones, not just FedoraServer.


Perhaps now I should ask, what is the technical difference between a "service" and a "port" in this case?

thanks thomaswood - not sure how to add karma or give you props for the comment.

lovepump gravatar imagelovepump ( 2017-04-16 13:47:35 -0500 )edit

A "service" is a set of rules to make things work. Such a rule may need to enable more than one port.

Also, remember the difference between runtime and permanent configuration change.

Also check out --set-log-denied setting. If enabled, the firewall will log to the journalctl

villykruse gravatar imagevillykruse ( 2018-01-12 11:27:46 -0500 )edit

1 Answer

Sort by » oldest newest most voted

answered 2018-01-12 10:09:21 -0500

Petr Menšík gravatar image

As stated in the first comment, firewall-cmd can be used to add rules to configuration.

firewallctl command can be used as well. Run following commands as root (prefix them with sudo)

$ firewallctl info zones -a

This will show you active zones with services enabled in them. You want to enable dns service in your active zone. My output is this:

FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  services: ssh dhcpv6-client samba-client dns
  ports: 1025-65535/udp 1025-65535/tcp
  masquerade: no
  rich rules:

Now you know name of your default zone. It should be one of FedoraWorkstation or FedoraServer by default. My zone is FedoraWorkstation, so add dns service.

$ firewallctl zone FedoraWorkstation add service dns

Now try to query your server from the outside. It should give you REFUSED answers from dig

$ dig @yourip localhost. A

If it does work, let's save the firewall configuration to permanent storage

$ firewallctl runtime-to-permanent

Now it should be started again with that service enabled all the time

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2017-04-14 16:05:15 -0500

Seen: 798 times

Last updated: Jan 12 '18