CentOS

FirewallD seems to work on our CentOS 8.3.2011 server however when you look at the status it shows the following:

[root@Server user]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-12-13 02:30:41 MST; 2 days ago
Docs: man:firewalld(1)
Main PID: 895 (firewalld)
Tasks: 2 (limit: 23616)
Memory: 39.0M
CGroup: /system.slice/firewalld.service
└─895 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Dec 13 02:30:38 Server.domain.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 13 02:30:41 Server.domain.com systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 13 02:30:41 Server.domain.com firewalld[895]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabli>
Dec 13 02:30:43 Server.domain.com firewalld[895]: ERROR: INVALID_SERVICE: smtp.xml
Dec 13 02:30:43 Server.domain.com firewalld[895]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"c>
Dec 13 02:30:43 Server.domain.com firewalld[895]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"c>

However when looking at what it claims to be doing:
[root@Server user]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

New rules also appear to take effect after restarting the service:
services: cockpit http https ssh

This server is in a DMZ and I don't yet have a device to run nmap against this server to truly verify that firewalld is indeed running.

Are the errors I am seeing a concern? I have found a reference to a version 8.1 bug but nothing else.

The warning is just a notification. A remainder about a change that has/will happen.

What is wrong with file 'smtp.xml'?
Firewalld does provide /usr/lib/firewalld/services/smtp.xml. If that file is corrupt, then what else is corrupt?
If you have modified that service, then the modified version should be /etc/firewalld/services/smtp.xml

No package seems to provide "python-nftables". Perhaps it is some internal name that firewalld's scripts use?


More of service's log can be seen with sudo journalctl -u firewalld

You can see the actual, active ruleset that is in the kernel with sudo nft list ruleset
That output should be quite long (but not many concrete rules).

Not sure what's wrong with smtp.xml. I'm not at all sure this server needs inbound SMTP so I am going to remove this line from public.xml.

Here are the contents of smtp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Mail (SMTP)</short>
<description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
<port protocol="tcp" port="25"/>
</service>

Interestingly I received the same error with Rsyncd and removing that service allowance also removed the errors. Neither of these services have been setup on this server yet. Is that the possible problem? Is it possible these errors will disappear once these services are installed and started?

wolfrR1der wrote: ↑

2020/12/15 20:02:49

Neither of these services have been setup on this server yet. Is that the possible problem? Is it possible these errors will disappear once these services are installed and started?

No. Firewall rules are entirely separate from processes that accept connections.