7

I have installed firewalld on a fresh CentOS 7 minnimal installation on a VPS (weirdly enough, from what I've been searching firewalld should already be installed with system).

I tried opening some ports but when running a command like

firewall-cmd --zone=public --add-port=80/tcp --permanent

I get following error message: Error: INVALID_ZONE: public.

When viewing available zones with firewall-cmd --get-zones i get nothing.

How should it be configured?

Daniel Nachtrub
  • 1,022
  • 7
  • 12
Nicolas
  • 191
  • 1
  • 2
  • 5
  • Is firewalld running? Try reinstalling it. Did you create any zones? Did your VPS provider delete them? – Michael Hampton Apr 23 '15 at 22:24
  • It is running, reinstalled it, nothing changed. I didn't create any zones, couldn't find a proper instruction on how to do it anywhere. Shouldn't there be some defaults with installation? Everywhere I looked it says that the firewall should already be installed with the system but it was not. – Nicolas Apr 24 '15 at 06:40
  • Have exactly the same problem, on a pi install of Centos 7 (RedSleeve 7). It seems to act like it simply hasn't loaded the zones files. – Neil Townsend Jan 07 '16 at 20:20
  • `firewall-cmd --new-zone=public` might help you create the zone, but then you should make sure it's the same as the public zone created by default – Pierre-Alain TORET Mar 21 '16 at 14:20
  • 1
    Are there any zones (xml files) in /usr/lib/firewalld/zones ? – digitaladdictions Apr 02 '16 at 00:50
  • It seems like something is wrong with your install. Maybe the disk is/was full? Pre-defined zone XML files should be in the /usr/lib/firewalld/zones/ directory. The file /etc/firewalld/firewalld.conf contains the DefaultZone entry. The active zone(s) should be in the /etc/firewalld/zones/ directory. The firewall-cmd man page is easy to understand, IMHO. – Bob Apr 28 '16 at 15:21

2 Answers2

1

That sounds like a pretty strange VPS setup and issue, but you can build your own zones easily enough if you don't mind writing a bit of XML.

My public zone is:

<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <port protocol="tcp" port="443"/>

</zone>

It is a lightly modified version of the default public.xml, which drops instead of rejects packets, and allows HTTPS as well as SSH.

You would put this in (I think) /etc/firewalld/zones/public.xml.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
0

VPSes do all sorts of dumb things. Some of them nuke SELinux on the kernel level, so that you can't even enable it. First of all, you want to check your kernel with uname -r. It should say el7, e.g.

3.10.0-693.2.2.el7.x86_64

If it is el7, you're good. If not, you need to check with your VPS if you can use the stock EL kernels, or reinstall your instance from your own CentOS ISO (that's what I did on Vultr). It may still be possible to fix firewalld with a custom kernel, but it's better to have the official ones.

Anyway, if firewalld is actually functional, just not having zones, simply create the zone and add the services.

firewall-cmd --new-zone=public --permanent
firewall-cmd --reload
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --reload

Note: you must do these in the same session, otherwise you may get locked out of SSH and resort to console access to fix your firewall.

bviktor
  • 900
  • 6
  • 12