firewalld fails to add new rules

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

Hi Im trying to set correctly firewalld now wen I try to set a interface to a zones I get

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3879

Is firewalld buitl with USE="nftables iptables"
?
If yes then switch backend like this:
In /etc/firewalld/firewalld.conf set FirewallBackend to iptables.
And check if it works.
Then preferably rebuild it with only USE="iptables",although it is considered obsolete.
_________________

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3879

What is the output of

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3879

Yes I also installed right now firewalld in my openrc.
Although I have a full iptables kernel .config the damned thing would not start.
I think it is very temperamental.
Anyway i found this kernel config
https://zigford.org/firewalld-kernel-requirements.html
to use with nftables backend.
But maybe its not a kernel thing at all.
_________________

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

pietinger · Posted: Wed Dec 01, 2021 12:22 am Post subject:

The only correct installation of a firewall is:

1. You put in ALL modules belonging to netfilter as <M> in your kernel (+compile and install your kernel as always). Forget all informations about needed kernel modules, because the needed modules depends on your FW-configuration !
2. If you want to set up a firewall for a network (more than one ethernet port) dont forget to enable all needed ROUTING modules (e.g. "advanced router); this is not needed for a personal FW.
3. You configure your firewall BEST with native "ipatbles" or "nftables" - dont use any "simple" solution from ufw or others. If you dont understand what you are doing then learn: networking (tcp, udp, icmp, ports, layers, IPv4, IPv6, DNAT, SNAT, ...) and at least do a "man iptables" or "man nftables".
4. If your FW is running you can do a "lsmod" and find out which kernel modules are really needed (the next time you configure your kernel you can unset all not needed modules).

As far as I can see your configuration is a mess ... dont use it until you understand for what a firewall is able to do and NOT to do

(there is a german guide from me with iptables; and a translated english version in this forum).

denn0n · Tux's lil' helper Joined: 24 May 2020 Posts: 87

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3879

Ok I made some progress.
It doesnt matter if you build firewalld with USE="-nftables" you need both ie "nftables iptables" USE flags for it to start.
I did that and after setting backend to iptables in firewalld.conf It Starts!
Same when I set it to nftables.
Running firewall commands no problem.
If you need to debug it use something

sam_ · Developer Joined: 14 Aug 2020 Posts: 1678

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3879

sam_
Do you think its a bug?
I dont have the output because i closed that terminal but it complained thet it was trying to load an nftables python module which could not be found despite having set backend to "iptables" in firewalld.conf.
So it seems irrespective of using nftables or iptables backend you DO need firewalld built with both.
Otherwise it will not start.
Should i rebuild it with only one get the output and open a bug report?

pietinger · Posted: Sat Dec 04, 2021 1:09 am Post subject:

sam_ · Developer Joined: 14 Aug 2020 Posts: 1678

Ah, yes, please do file a bug for this in Gentoo. This exists upstream here too: https://github.com/firewalld/firewalld/issues/891.