SLES15 SP2 firewall not coming with interface after reboot

vishalvishal New or Quiet Member
edited April 5 in General Discussion

In reboot sequence, I see firewall is coming up first then the wicked(this is bringing up the interfaces). Due to which the firewall is not coming up with the proper configuration.

2021-03-26T02:53:21.338775+00:00 FILE-1 systemd[1]: Started firewalld - dynamic firewall daemon.
2021-03-26T02:53:21.339268+00:00 FILE-1 systemd[1]: Reached target Network (Pre).
2021-03-26T02:53:21.342856+00:00 FILE-1 systemd[1]: Starting wicked DHCPv6 supplicant service...
2021-03-26T02:53:21.346931+00:00 FILE-1 systemd[1]: Starting wicked DHCPv4 supplicant service...
2021-03-26T02:53:21.348951+00:00 FILE-1 kernel: [ 15.648081] bpfilter: Loaded bpfilter_umh pid 2034
2021-03-26T02:53:21.351513+00:00 FILE-1 systemd[1]: Starting wicked AutoIPv4 supplicant service...
2021-03-26T02:53:21.383407+00:00 FILE-1 systemd[1]: Started wicked AutoIPv4 supplicant service.
2021-03-26T02:53:21.384096+00:00 FILE-1 systemd[1]: Started wicked DHCPv6 supplicant service.
2021-03-26T02:53:21.384531+00:00 FILE-1 systemd[1]: Started wicked DHCPv4 supplicant service.
2021-03-26T02:53:21.386910+00:00 FILE-1 systemd[1]: Starting wicked network management service daemon...
2021-03-26T02:53:21.421963+00:00 FILE-1 systemd[1]: Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
2021-03-26T02:53:21.434948+00:00 FILE-1 systemd[1]: Started wicked network management service daemon.
2021-03-26T02:53:21.437316+00:00 FILE-1 systemd[1]: Starting wicked network nanny service...
2021-03-26T02:53:21.468920+00:00 FILE-1 systemd[1]: Started wicked network nanny service.
2021-03-26T02:53:21.471253+00:00 FILE-1 systemd[1]: Starting wicked managed network interfaces...
2021-03-26T02:53:21.508229+00:00 FILE-1 kernel: [ 15.803966] No iBFT detected.
2021-03-26T02:53:21.828329+00:00 FILE-1 sbd[1905]: notice: watchdog_init: Using watchdog device '/dev/watchdog'
2021-03-26T02:53:21.831226+00:00 FILE-1 systemd-udevd[648]: Network interface NamePolicy= disabled by default.
2021-03-26T02:53:21.832985+00:00 FILE-1 kdump[2256]: Loaded kdump kernel: /sbin/kexec -p /boot/vmlinuz-5.3.18-24.29-default --append=" plymouth.enable=0 nvme-core.multipath=N console=tty0 rw console=ttyS0,38800n8 elevator=deadline sysrq=yes reset_devices acpi_no_memhotplug cgroup_disable=memory nokaslr numa=off irqpoll nr_cpus=1 root=kdump rootflags=bind rd.udev.children-max=8 disable_cpu_apicid=0 panic=1" --initrd=/boot/initrd-5.3.18-24.29-default-kdump -s, Result:
2021-03-26T02:53:21.837560+00:00 FILE-1 systemd[1]: Started Load kdump kernel early on startup.
2021-03-26T02:53:21.881374+00:00 FILE-1 systemd[1]: Started Shared-storage based fencing daemon.
2021-03-26T02:53:23.320061+00:00 FILE-1 kernel: [ 17.618232] e1000e 0000:00:11.0 eth0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
2021-03-26T02:53:23.468047+00:00 FILE-1 kernel: [ 17.765237] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
2021-03-26T02:53:23.476042+00:00 FILE-1 kernel: [ 17.774243] e1000e 0000:00:12.0 eth1: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
2021-03-26T02:53:23.636152+00:00 FILE-1 kernel: [ 17.933226] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
2021-03-26T02:53:23.648098+00:00 FILE-1 kernel: [ 17.946227] e1000e 0000:00:13.0 eth2: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
2021-03-26T02:53:23.648115+00:00 FILE-1 kernel: [ 17.946595] IPv6: ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready
2021-03-26T02:53:23.676042+00:00 FILE-1 kernel: [ 17.972573] NET: Registered protocol family 17
2021-03-26T02:53:30.346475+00:00 FILE-1 wicked[2120]: lo up
2021-03-26T02:53:30.346832+00:00 FILE-1 wicked[2120]: eth0 up
2021-03-26T02:53:30.347010+00:00 FILE-1 wicked[2120]: eth1 up

Below the interface is missing.
FILE-1:~ # firewall-cmd --zone=pmfzone --list-all
pmfzone
target: %%REJECT%%
icmp-block-inversion: yes
** interfaces:**
sources:
services: ssh ipsec
ports: 111/udp 1427/udp 2049/udp 4002/udp 4003/udp 4004/udp 427/udp 69/udp 5404/udp 5405/udp 123/udp 500/udp 4500/udp 20048/udp 323/udp 5407/udp 111/tcp 1427/tcp 2049/tcp 4002/tcp 4003/tcp 4004/tcp 427/tcp 2707/tcp 22/tcp 5499/tcp 5984/tcp 5986/tcp 5989/tcp 8443/tcp 8088/tcp 8089/tcp 5480/tcp 2014/tcp 21064/tcp 30865/tcp 5560/tcp 5432/tcp 20048/tcp 7432/tcp 3000/tcp 5575/tcp 5576/tcp 8080/tcp 7070/tcp 7630/tcp 9999/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-request echo-reply
rich rules:

However after restart of the firewall service, I see eth0 is configured properly
FILE-1:~ # systemctl restart firewalld
FILE-1:~ # firewall-cmd --zone=pmfzone --list-all
pmfzone (active)
target: %%REJECT%%
icmp-block-inversion: yes
** interfaces: eth0**
sources:
services: ssh ipsec
ports: 111/udp 1427/udp 2049/udp 4002/udp 4003/udp 4004/udp 427/udp 69/udp 5404/udp 5405/udp 123/udp 500/udp 4500/udp 20048/udp 323/udp 5407/udp 111/tcp 1427/tcp 2049/tcp 4002/tcp 4003/tcp 4004/tcp 427/tcp 2707/tcp 22/tcp 5499/tcp 5984/tcp 5986/tcp 5989/tcp 8443/tcp 8088/tcp 8089/tcp 5480/tcp 2014/tcp 21064/tcp 30865/tcp 5560/tcp 5432/tcp 20048/tcp 7432/tcp 3000/tcp 5575/tcp 5576/tcp 8080/tcp 7070/tcp 7630/tcp 9999/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-request echo-reply
rich rules:

Comments

  • vishalvishal New or Quiet Member

    @Andreas but this not solve or give any inputs on what i have put in forum.
    what my point is that after reboot the firewall service is coming up but the interface (eth0) is not getting attached to it . only after i restart the firewall service it (interface) get added to it. firewall-cmd --list-all

  • AndreasAndreas Senior Member

    Your point is that you use the wrong firewall service (firewalld). Remove the original firewall service (firewalld) and install your own "Do it yourself" firewall service (firewallStart.service):
    https://forums.suse.com/discussion/14522/having-network-kernel-issues#latest

  • vishalvishal New or Quiet Member

    @Andreas @malcolmlewis Here the point is i have a zone (for example take external) , now i want to link this zone to interface eth0 permanently . I tried using firewall-cmd --zone=zone_name --change-interface=interface_name but after reboot the system the firewall-cmd --list-all comes up without interface , it shows interface as null.
    How can we make this setting permanent

  • malcolmlewismalcolmlewis Knowledge Partner

    @vishal HI, I wonder if it's a race condition that can rear it's head with persistent and predictable naming....
    If you add the following grub kernel option net.ifnames=0 does this help?

Sign In or Register to comment.