firewalld: adding zone and service wont work - direct rule works

asked 2016-02-05 10:33:40 -0500

tomds gravatar image

hi,

on my centos server 1.2.3.5 (example ip) i created a service called tivoli:

/etc/firewalld/services/tivoli.xml

<service>
 <short>tivoli</short>
 <description>tivoli backup service</description>
 <port port="1501" protocol="tcp"/>
</service>

and a firewalld zone called tivoli:

/etc/firewalld/zones/tivoli.xml

<zone>
 <short>tivoli</short>
 <description>tivoli adsm server</description>
 <source address="1.2.3.4"/>
 <service name="tivoli"/>
</zone>

and expected after a

$ firewall-cmd --reload

that i can connect from 1.2.3.4 to the open and listening port 1501 on 1.2.3.5 , but:

$ telnet 1.2.3.5 1501
telnet: Unable to connect to remote host: No route to host

behaves like before defining the zone and service. although a iptables -L shows all the rules and chains that look the same as with a similar working service + zone.

in contrast when i define a direct rule, it works as expected:

$ firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 1501 --source 1.2.3.4 -j ACCEPT

and i can connect with telnet with the same command.

so what is going wrong here? am i missing something?

edit retag flag offensive close merge delete

Comments

Hey, so my answer was totally wrong - you were right. That's what I get for trusting the Interwebs over some testing! Drat! Anyway, I deleted it for the sake of not having misleading information up here.

So if you determined your problem was the result of overlapping zones, posting a clear explanation as your answer and accepting it would be the right thing to do. Sorry for the bad answer! Thanks for making me chase it down.

bitwiseoperator gravatar imagebitwiseoperator ( 2016-02-16 22:00:58 -0500 )edit