firewalld stopping for no reason

Question

I have a Red Hat 8 server. On it, I have used firewall-cmd --permanent --zone=public --add-service=https to enable public traffic to the server. When I systemctl start firewalld, this works as expected. However, every 10 minutes or so, the daemon gets stopped. I'm not doing this myself, so I assume some other part of systemd is doing this. Here is the output from journalctl --unit firewalld --pager-end. Notably the time between starts and stops is sometimes higher than 10 minutes, so whatever is happening is no happening every 10 minutes precisely:

Dec 27 22:12:53 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 27 22:12:53 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 27 22:12:53 my.server.domain firewalld[165220]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please conside>
Dec 27 22:38:50 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 27 22:38:50 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 27 22:38:50 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Dec 27 23:16:34 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 27 23:16:34 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 27 23:16:35 my.server.domain firewalld[486273]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please conside>
Dec 27 23:38:49 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 27 23:38:50 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 27 23:38:50 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Dec 28 02:59:38 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 28 02:59:39 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 28 02:59:39 my.server.domain firewalld[1607080]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consid>
Dec 28 03:08:50 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 28 03:08:51 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 28 03:08:51 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Dec 28 03:29:19 my.server.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 28 03:29:19 my.server.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 28 03:29:19 my.server.domain firewalld[1760864]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consid>
Dec 28 03:38:49 my.server.domain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 28 03:38:49 my.server.domain systemd[1]: firewalld.service: Succeeded.
Dec 28 03:38:49 my.server.domain systemd[1]: Stopped firewalld - dynamic firewall daemon.

Why is this happening, and how can I ensure that firewalld stays active always?

Check if someone scheduled firewall restart, check for last 2-3 days logs. — asktyagi, Dec 28 '22 at 07:10

score 0 · Answer 1 · answered Dec 28 '22 at 09:37

The most useful tool I found for debugging this problem was journalctl --pager-end --output with-unit. This gives you output from all units, but with the unit producing each log labelled. Then, when I searched for the logs where the firewall was stopping, I found this:

Wed 2022-12-28 18:38:49 AEDT my.domain init.scope[1]: Stopping firewalld - dynamic firewall daemon...                        
Wed 2022-12-28 18:38:50 AEDT my.domain init.scope[1]: firewalld.service: Succeeded.    
Wed 2022-12-28 18:38:50 AEDT my.domain init.scope[1]: Stopped firewalld - dynamic firewall daemon.    
Wed 2022-12-28 18:38:50 AEDT my.domain puppet.service[2003956]: (/Stage[main]/Firewall::Linux::Redhat/Service[firewalld]/ensure) ensure changed 'running' to 'stopped' (corrective)

So what was happening was that puppet was installed, which was trying to periodically "correct" my changes to the firewall, I imagine using something like this recipe: https://www.puppetcookbook.com/posts/ensure-service-is-stopped.html.

Therefore, I was able to resolve my issue using systemctl disable puppet && systemctl stop puppet.

firewalld stopping for no reason

1 Answers1