Unable to ping; "operation not permitted"

Issues related to configuring your network
Post Reply
User avatar
poltr1
Posts: 25
Joined: 2020/01/03 21:43:57
Location: Dayton OH USA

Unable to ping; "operation not permitted"

Post by poltr1 » 2021/12/22 20:09:28

Several of my CentOS 7 systems are getting a strange error. If they try to ping a site, whether it's local or remote (e.g. Google's DNS server), they'll get a message "operation not permitted". Someone else suggested it might be a firewall issue, so I flushed the firewall rules and reset them, thusly:

Code: Select all

alias goose='sudo -- bash -c '\''iptables -F INPUT;iptables -F FORWARD;iptables -F OUTPUT;iptables -P INPUT ACCEPT;iptables -P FORWARD ACCEPT;iptables -P OUTPUT ACCEPT'\'''
goose
This step, which I called "goosing the system", worked. Admittedly, this is a workaround, and not a fix. Further investigation showed that there is a missing config setting in /etc/firewalld/firewall.conf called "AllowZoneDrifting". If it isn't specified, it will default to 'yes'. I added it to the affected systems and it appears to work on most of them.

Code: Select all

# AllowZoneDrifting
# Older versions of firewalld had undocumented behavior known as "zone
# drifting". This allowed packets to ingress multiple zones - this is a
# violation of zone based firewalls. However, some users rely on this behavior
# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
# desire such behavior. It's disabled by default for security reasons.
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
# Possible values; "yes", "no". Defaults to "yes".
AllowZoneDrifting=no
But there's one system that this continues to happen, despite the workaround, the addition to firewalld.conf, and setting up a cron job to goose the system every two hours. I looked at the firewalld log file and nothing in there appeared to be out of the ordinary. Is there something else I'm missing?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Unable to ping; "operation not permitted"

Post by TrevorH » 2021/12/22 20:27:17

What's the output from rpm -V iputils ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
poltr1
Posts: 25
Joined: 2020/01/03 21:43:57
Location: Dayton OH USA

Re: Unable to ping; "operation not permitted"

Post by poltr1 » 2021/12/23 14:13:30

For my system (which no longer has the issue), and another system (which still has the issue), the output is empty.

I verifed that the iputils package is installed on both systems via yum list iputils:

Code: Select all

Installed Packages
iputils.x86_64        20160308-10.el7         @anaconda

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Unable to ping; "operation not permitted"

Post by TrevorH » 2021/12/23 18:38:15

It would be quite difficult to get a system without iputils installed.

If you run rpm -V it verifies all files that belong to that package match the expected checksums. No output means that all files match.

What's the output from ls -laZ /etc/nss\* ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Unable to ping; "operation not permitted"

Post by jlehtone » 2021/12/23 19:07:59

poltr1 wrote:
2021/12/22 20:09:28
This step, which I called "goosing the system", worked. Admittedly, this is a workaround, and not a fix.
...
and setting up a cron job to goose the system every two hours.
That is indeed blunt. If you don't want to filter (block) anything, i.e. "no firewall", then not starting the firewalld would be an option (unless you need to NAT on the machine). The other way to do that is to put all interfaces to zone "trusted"; it allows all traffic.

How does set zone of interface? Surprisingly, not with 'firewall-cmd', but with 'nmcli'.

Let say you have connection named "em1" for network device "em1". (You can see your connections with 'nmcli c s'.)
To make that connection use zone "trusted", one does:

Code: Select all

nmcli c mod em1 connection.zone trusted
If no zone is set, then zone is "public". While it blocks most incoming traffic, it does allow replies both ways and it allows everything to go out.

If packet belongs to explicit zone and that zone does not excplicitly handle the packet, then packet "falls through".
If AllowZoneDrifting=yes, then the packet goes to default zone.
If AllowZoneDrifting=no, then the packet goes directly to "catch all" rule at end of INPUT chain, which is reject in default config.
Zone drifting is not nice; fate of packet might depend on rules of two zones. It was the initial behaviour and Red Hat kept it as default
when the 'AllowZoneDrifting=no' option was introduced so that existing setups would not break (if they unknowingly did "work" due to zone drift).


The "operation not permitted" does not sound like something that a program says when it cannot create a connection (or receive a "pong").

User avatar
poltr1
Posts: 25
Joined: 2020/01/03 21:43:57
Location: Dayton OH USA

Re: Unable to ping; "operation not permitted"

Post by poltr1 » 2021/12/27 14:21:00

Output from ls -laZ /etc/nss* (my system):

Code: Select all

-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/nsswitch.conf
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/nsswitch.conf.bak
Output from ls -laZ /etc/nss* (other system requiring iptables every 2 hours):

Code: Select all

-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/nsswitch.conf
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/nsswitch.conf.bak
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/nsswitch.conf.rpmnew
The only significant difference between nsswitch.conf and nsswitch.conf.rpmnew is the line listing the hosts:

Code: Select all

# My system
hosts:      files dns myhostname
# Other system:
hosts:      files dns
There's also an added comment about running nscd with a secondary caching service, such as sssd.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Unable to ping; "operation not permitted"

Post by jlehtone » 2021/12/28 06:43:58

The myhostname was a fallback, should files and dns fail (see man nss-myhostname) but has its own peculiarities: https://access.redhat.com/solutions/1287253
Hence it is no longer used. That does not explain your error.

User avatar
poltr1
Posts: 25
Joined: 2020/01/03 21:43:57
Location: Dayton OH USA

Re: Unable to ping; "operation not permitted"

Post by poltr1 » 2021/12/30 16:25:59

Update: Despite the AllowZoneDrifting=no addition to firewalld.conf, this is still happening on a few of my systems, including my own. It's not happening as often, though. I've also noticed that this is happening only on the systems I've built and deployed in the past few months. I'm curious if any relevant packages changed at around that time (August 15 or later).

Post Reply