2

I just installed Fedora 23 Server. I have a single zone created by default:

# firewall-cmd --get-active-zones
FedoraServer
  interfaces: eth0

If I add a service to this zone, it works fine:

# firewall-cmd --zone=FedoraServer --add-service=http
success

# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client http ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

But it is lost when running firewall-cmd --reload.

If I try to make it permanent as suggested in this answer, I get the following error:

# firewall-cmd --zone=FedoraServer --add-service=http --permanent
Error: INVALID_SERVICE: 'cockpit' not among existing services

I'm surprised as this is a fresh installation from an OVH template.

How to work around this error?

Community
  • 1
BenMorel
  • 4,507
  • 10
  • 57
  • 85
  • It's a broken OVH template. I saw the same thing. I just did a fresh Fedora installation, since I didn't want most of their crap in there anyway. – Michael Hampton Jan 18 '16 at 19:38
  • Crap. I'm not a server admin guru, so I'm not confident moving away from their templates (configured with monitoring and such). There must be a workaround? – BenMorel Jan 18 '16 at 19:40
  • If there is, I'm not aware of it. And besides, installing an OS isn't hard. Just open the IPMI Java console, mount a local copy of the Fedora 23 netinstall media, and go to it. You do need to have decent upload bandwidth from your location for this, though. – Michael Hampton Jan 18 '16 at 19:41

1 Answers1

3

As suggested by Michael Hampton in the comments, this seems to be specific to the OVH Fedora 23 Server template.

I searched for cockpit in /etc, and found the following file:

/etc/firewalld/zones/FedoraServer.xml

Which contains the following lines:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
</zone>

I removed this line and saved the file:

<service name="cockpit"/>

And it now works!

They basically seem to have added a default service to firewalld, that is not installed in their template.

BenMorel
  • 4,507
  • 10
  • 57
  • 85