Ping - firewalld

Issues related to applications and software problems
Post Reply
ProdigyLv
Posts: 8
Joined: 2017/09/19 12:42:31

Ping - firewalld

Post by ProdigyLv » 2020/11/12 08:51:42

Hi!

I can't ping Windows machines on local network from centos VM. I get message "ping: temp: Name or service not known";
When i disable firewalld ping works!

[root@supervm ~]# ping temp
PING temp (192.168.3.158) 56(84) bytes of data.
64 bytes from 192.168.3.158 (192.168.3.158): icmp_seq=1 ttl=128 time=1.04 ms
64 bytes from 192.168.3.158 (192.168.3.158): icmp_seq=2 ttl=128 time=1.00 ms
64 bytes from 192.168.3.158 (192.168.3.158): icmp_seq=3 ttl=128 time=0.942 ms
64 bytes from 192.168.3.158 (192.168.3.158): icmp_seq=4 ttl=128 time=0.918 ms

firewalld --list-all :

target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client http https ssh
ports: 3306/tcp 10050-10051/tcp 53/tcp 43/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

What changers I need to make in firewalld for ping to work.

Sorry my eng!

User avatar
jlehtone
Posts: 3180
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Ping - firewalld

Post by jlehtone » 2020/11/12 13:19:08

Code: Select all

$ ping snafu
ping: snafu: Name or service not known
[$ host snafu
Host snafu not found: 3(NXDOMAIN)
Ping apparently says "Name or service not known" if it cannot resolve the name (temp) into IP address (192.168.3.158).

Code: Select all

$ grep ^hosts /etc/nsswitch.conf
hosts:      files dns
The name resolution is usually configured to use files first. That is, look from /etc/hosts
That file does not contain "foreign names" by default:

Code: Select all

$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
The second option is to use dns, which means consulting DNS server(s) that are configured in /etc/resolv.conf

Code: Select all

$ cat /etc/resolv.conf
# Generated by NetworkManager
search my.awesome.domain
nameserver 192.168.69.254
The config that you have shown does not explain the problem.

Can you ping with the IP address when firewall is on?

Code: Select all

ping 192.168.3.158
Can you resolve names when firewall is on?

Code: Select all

host temp
host www.centos.org
(If you don't have command 'host' installed, you might have command 'dig'.)
Can you ping the first nameserver that you have in your /etc/resolv.conf?

You can see all your actual firewall rules with:

Code: Select all

sudo iptables -S
sudo iptables -t nat -S
sudo iptables -t mangle -S

ProdigyLv
Posts: 8
Joined: 2017/09/19 12:42:31

Re: Ping - firewalld

Post by ProdigyLv » 2020/11/12 19:49:19

The config that you have shown does not explain the problem.

Can you ping with the IP address when firewall is on?
Firewalld - ON:
I can ping DNS server by IP
I can ping any PC/VM/any network device by IP
I can't ping by hostname

Firewalld - OFF
I can ping DNS server by IP
I can ping any PC/VM/any network divice by IP
I can ping by hostname

nano /etc/resolv.conf
nameserver 192.168.2.60
nameserver 192.168.3.100

..hmmm host/nslookup can't resolve DNS:
;; Got SERVFAIL reply from 192.168.2.60, trying next server
Server: 192.168.3.100
Address: 192.168.3.100#53

** server can't find temp: SERVFAIL

pjsr2
Posts: 526
Joined: 2014/03/27 20:11:07

Re: Ping - firewalld

Post by pjsr2 » 2020/11/12 20:42:44

Are you running a samba server on the linux box? That might explain things. You haven't opened any ports for the samba.
Your samba server may be resolving host names for the windows computers through the netbios name service, which will not work when your firewall is active. Are you sure there are indeed DNS servers running on 192.168.2.60 and 192.168.3.100?

In case you are running the samba server and you want to open your firewall for it, you can use:

Code: Select all

sudo firewall-cmd --add-service=samba
(To make the change persistant use "sudo firewall-cmd --add-service=samba --permanent")

You have 53/tcp open in your firewall. That is weird. DNS defaults to udp on port 53, only falling back to 53/tcp when udp fails. Are you running a DNS server on your linux box? If not, you can remove 53/tcp from the allowed ports in your firewall.

kdpatil
Posts: 31
Joined: 2020/10/20 07:19:31

Re: Ping - firewalld

Post by kdpatil » 2020/11/15 06:13:28

nslookup to ip & FQDN is ok ?

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: Ping - firewalld

Post by aks » 2020/11/15 18:24:17

Aren't you just missing port rule 53/udp?

ProdigyLv
Posts: 8
Joined: 2017/09/19 12:42:31

Re: Ping - firewalld

Post by ProdigyLv » 2020/11/16 11:22:10

kdpatil wrote:
2020/11/15 06:13:28
nslookup to ip & FQDN is ok ?
FQDN ping/nslookup works!

I add /etc/resolv.conf :
search mydomain.com
and now everything works!


thank you all!!

User avatar
jlehtone
Posts: 3180
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Ping - firewalld

Post by jlehtone » 2020/11/16 12:43:07

ProdigyLv wrote:
2020/11/16 11:22:10
I add /etc/resolv.conf :
Reboot and check that you still have it. A default is that NetworkManager writes the /etc/resolv.conf.
If it does and you did not tell it to add the "search" field, then you need to tune your config some more.

ProdigyLv
Posts: 8
Joined: 2017/09/19 12:42:31

Re: Ping - firewalld

Post by ProdigyLv » 2020/11/16 13:03:05

jlehtone wrote:
2020/11/16 12:43:07
ProdigyLv wrote:
2020/11/16 11:22:10
I add /etc/resolv.conf :
Reboot and check that you still have it. A default is that NetworkManager writes the /etc/resolv.conf.
If it does and you did not tell it to add the "search" field, then you need to tune your config some more.

I added: nmcli con mod eth0 ipv4.dns-search "myDomain.com"

It seems that now everything works even after restart. Thank you very much

Post Reply

Return to “CentOS 7 - Software Support”