centOS 7 firewallD remove direct rule

Question

After upgrading the system from 6.5 to 7, I started learning implementing dynamic firewall, however, I made a mistake to add the following rule

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP

which cause the machine drop all the output to outside,

I tried to use

firewall-cmd --permanent --direct --remove-rule ipv4 filter OUTPUT 1 -j DROP

to welcome everyone back.

However, after

firewall-cmd --reload

and

firewall-cmd --direct --get-all-rules

, I find this rule come back again automatically .

I even tried

firewall-cmd --complete-reload

but no effect.

What can I do now?

Answer 1

Eventually I find the remove command only work at one-time due to the rules are recorded in the direct.xml

Thus, the solution is easy, edit the direct.xml and comment the corresponded lines or jsut delet them.

Answer 2

After wrestling with a stubbornly persistent redirect rule I realized through testing the following:

1. iptables rules DB is transient

2. firewall-cmd --permanent rules DB persists through reboots, rewriting iptables rules DB after reboot

3. firewall-cmd --permanent --direct rules DB stored in /etc/firewalld/direct.xml persists despite firewall-cmd [--permanent] --direct --remove-rule unless DB file is removed

4. firewall-cmd [--permanent] --direct --query-rule will lie about persistence of rules in /etc/firewalld/direct.xml

Answer 3

just tried the same thing and my direct.xml was emptied after running

firewall-cmd --direct --remove-rule ...

without --permanent option.
After reload there are no direct rules which was removed.

With this option rules was back after reload.

Answer 4

firewall-cmd [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain

Answer 5

No need to edict direct.xml file. Do a:

# systemctl restart firewalld

and that will do.