Difficulty with Firewalld Blocking Traffic in Absence of IPTABLES Data

UME

6/26/24, 7:48 AM

I have noticed that Firewalld is actively blocking incoming and outgoing connections, which is causing disruptions in my network communication. However, upon checking the system, I discovered that no explicit IPTABLES rules are set. This is puzzling to me as I expected Firewalld to rely on IPTABLES for rule enforcement.

To further investigate, I have verified that Firewalld service is running and enabled on my system. I have also confirmed that the default Firewalld zone is correctly set and that there are no custom zone configurations interfering with the traffic. Additionally, I have reviewed the Firewalld logs, but I haven't found any relevant errors or warnings that could shed light on the issue.

I would greatly appreciate any suggestions or insights into why Firewalld might be blocking traffic in the absence of explicit IPTABLES rules.

You can understand from the below output, already few services only actively opened

[linadmin@vwaapcon01]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160 ens192 ens224
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
[linadmin@vwaapcon01]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

1 + 2

linux

firewalld

firewalld-zone

symcbean

6/26/24, 10:31 AM

What distribution and version of Linux are you using? Most modern Linux use nftables not iptables (but the iptables command usually shows nftables rules)

UME

6/26/24, 2:29 PM

RHEL 8.5. RHEL 8.5

Score:0

Server

HBruijn

6/26/24, 8:08 AM

There may simply be a network firewall or security group active outside of the host that restricts traffic, regardless of the absence/presence/configuration of any host based firewall.
Alternatively your system and firewalld may be using the nftables backend and then inspecting rules with iptables may not give a complete/correct picture of any hostbased firewall rules that exist outside of the scope of the user-friendly Firewalld frontend and you'd need to use nft list ruleset or similar to see those.

+ 1

UME

6/27/24, 5:39 PM

The command ```nft list ruleset``` executed successfully. However, my assumption was that iptables and firewalls act solely as frontend tools for interacting with nftables. I had believed that iptables or similar tools could retrieve data from nftables and present it in a user-friendly format, regardless of the tool that created the data.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Difficulty with Firewalld Blocking Traffic in Absence of IPTABLES Data

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.