Firewalld hangs Linux

I

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,088
Since DirectAdmin is leaving FreeBSD, I thought I'd get acquainted with Linux after well over a decade.
- The install went fine other than a bug I ran across in the install program that drove me nuts for hours.
- I installed DirectAdmin, and that seemed to go fine too.
- I installed the CSF firewall plugin and that seems to be where my problems started.
- Sometimes when you want to check programs you want to turn the firewall off, so I followed the instructions.
# systemctl stop firewalld - Problem: The moment I do this one, it says it masks it.
# systemctl disable firewalld
- Later when I want to turn it on again, no matter what I type, it says it is masked so I type
# systemctl unmask firewalld
# systemctl enable firewalld
# systemctl start firewalld
- The problem is when I try to reactivate it, if it doesn't hang the entire operating system I cannot connect to it. Often it hangs the entire operating system. The VMWare tools then don't work, and sometimes reset doesn't work and I need to power down. If I power back up, I still cannot connect. If I
# firewall-cmd --reload
it will go through its paces but doesn't fix anything. If I reboot the OS again, I still cannot login even though:
# systemctl status firewalld
says everything is hunky-dory. The ONLY way I can fix it is to roll back to a previous snapshot. Since it is a VM, I have a console and can login there even when no network connections work.

I wouldn't know how to go about hanging FreeBSD. While I don't know what I'm doing in Linux, the fact that I can hang it so easily doesn't do much for my confidence. If anyone has any thoughts on this, let me know.
 
scriptkitty said:
Hi!

Is CSF compatible with firewalld

You cannot use both together, they both configure iptables in their own way.

So, you will need to uninstall firewalld before proceeding with csf.

Thanks,
Click to expand...
First I started out thinking CSF was the firewall. Then someone told me that CSF was a plugin that just an interface for for the Linux firewall, firewalld. I didn't see a way to turn it on or off in the interface, so I read up on and documented the firewalld commands to stop it to make sure it wasn't in the way of getting FTPS working and ran into these issues. With a name like firewalld, I assumed those were the commands for whatever firewall is installed, like with httpd. Now I learn I had it right the first time and CSF IS a firewall, and what I did was reactivate firewalld, which is also a firewall that had probably been deactivated during the CSF install, and CSF does indeed have a command line interface, but nothing like firewalld's options.

I uninstalled firewalld, but when I did that, it hosed CSF. I tried reinstalling CSF via the plugin and that doesn't work either, so I went back to my previous snapshot where everything was fine, and issued the command systemctl status firewald and it returned:
● firewalld.service
Loaded: masked (Reason: Unit firewalld.service is masked.)
Active: inactive (dead)

Sooo I'm not sure what the best course of action is at this point other than it is working with firewalld being masked, whatever the implicationz of that are.

Thanks TONS!
PS: Excellent choice of screen names. LOL!
 
CSF, like PFsense, Smoothwall and apf/bfd are all shells/interfaces to configure the iptables firewall.

The command you issued, gives the correct output, i've got the same on my Centos 7 and 8 servers:
Code: 
● firewalld.service
   Loaded: masked (Reason: Unit firewalld.service is masked.)
   Active: inactive (dead)

I would leave it like this, so with firewalld disabled and you should be able to use csf with iptables now.
Unless iptables is not installed, then it's best to install it, but it does not to be started automatically on boot, even better, take care it doesn't.
CSF will start it with the correct lines on boot.
 
Pff i am ... to

Wen doing it right from the start then mostly no problems.

Other settings , configs and way to handle.
With installation of one you break other , removing then doesn't bring back that broken parts!

Iptables ipv6 and more..: *CSF is configuring in more easy way IPTABLES as i understand it for iptables and firewall some info : https://8gwifi.org/docs/iptables.jsp
By default, csf will auto-configure iptables to filter all traffic except on

# the loopback device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
Click to expand...

maybe some links help i don't know take care the are very old but info could help to understand better i hope:

www.justin.my

iptables in directadmin Archives • Justin.my

www.justin.my www.justin.my

FirewallD or IPtables?

Hi I tried Centos7 when it was new and I was not interested with new commands so decide to continue on CentOS6. till now need to run new DA on CentOS7 and I find FirewallD is new default firewall on CentOS7 as iptables, should I keep that? My guess is using iptables on DA is better because of...
forum.directadmin.com forum.directadmin.com

gist.github.com

CSF firewall configuration (Directadmin)

CSF firewall configuration (Directadmin). GitHub Gist: instantly share code, notes, and snippets.
gist.github.com gist.github.com


This all makes me wondering if you have a good working CSF config so iptables set, can you use that iptables config then also without CSF itself and ( no GUI or command line tools CSF but same functional IPTABLES rules then?
 
Last edited:
ikkeben said:
if you have a good working CSF config so iptables set, can you use that iptables config then also without CSF itself and ( no GUI or command line tools CSF but same functional IPTABLES rules then?
Click to expand...
Yes ofcourse, if you would know the exact commands. At least if I understand your question correctly.

CSF does nothing else then translate the config files into a iptables lines. So if you open for example port 80 in CSF, then CSF translates this to for example this command:
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
there are more ways to do this, but CSF probably would use this one.

If you know exactly all lines generated, then you can put that in a file and have iptables look at it at startup. Either that way, or you have to insert them one by one at commandline yourself or via a script.

But why making things hard when it's possible to do things easy? With CSF is way more easy and it also has the option to add custom lines you want to use.
 
Richard G said:
But why making things hard when it's possible to do things easy? With CSF is way more easy and it also has the option to add custom lines you want to use.
Click to expand...
Sometimes CSF not working well , or other LINUX installation not using , you can have a kind of sample / example / default base iptables configuration that way.

Oyea also you don't have to be so afraid if CSf is not starting while mostly iptables are ( if not the cause of not starting is IPTABLES itself)
 
You must log in or register to reply here.
Back
Top