2015년 7월 9일 목요일

Unable to reload rules in firewalld 0.3.14.2-1 Archlinux (workaround: restart firewalld.service)

firewalld is an upstream dynamic firewall project from Fedora. Personally, I find working with firewalld to be much more pleasant than trying to decipher and write arcane iptables static firewall rules.

Although Archlinux is generally a cutting-edge Linux distro that gives users access to the newest packages from upstream and the newest kernels, in my humble opinion it lags behind Fedora/RHEL/CentOS in the security department. SELinux and firewalld are setup by default in Fedora et al, but in Archlinux only firewalld is available from the default repositories. As of June 2015, SELinux can be installed on Arch, but SELinux policies have not been customized for Archlinux (i.e. the default policies assume Fedora/RHEL paths and filenames).

A test machine running Arch and firewalld also happened to be an NFS server, but NFS clients could no longer connect to the server because of the firewall. Since I only use NFS within my LAN, I assigned the Ethernet port enp1s0 to the firewalld internal zone and then added NFS-related services to internal as follows:

$ sudo firewall-cmd --zone=internal --change-interface=enp1s0
[sudo] password for archjun: 
success
$ sudo firewall-cmd --permanent --zone=internal --add-service=nfs
success
$ sudo firewall-cmd --permanent --zone=internal --add-service=rpc-bind
success
$ sudo firewall-cmd --permanent --zone=internal --add-service=mountd

Now to apply this to firewalld, we need to reload the firewall rules:

$ sudo firewall-cmd --reload
Error: 'NoneType' object has no attribute 'query_rule'

I verified that the services I added above (nfs, rpc-bind, and mountd) were not yet reflected in firewalld:

$ firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: enp1s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

I looked for any firewalld-related errors in the systemd journal journalctl, but found nothing of interest.

Googling for the error above did not turn up any relevant results. I also tried to use the firewalld GUI, firewall-config, and clicked the checkbox for each service to whitelist in Zone internal :



Changing Runtime rules only works for the current session, but you can also define Permanent rules, too. I assumed that changing Runtime rules in the GUI would be immediately applied, but this was not the case; I am not sure if this is a problem with firewall-config in Archlinux or a lack of understanding on my part. When I clicked Options -> Reload Firewalld, I got the exact same error that firewalld-cmd gave me:

'NoneType' object has no attribute 'query_rule'



As a last resort, I invoked

$ sudo systemctl restart firewalld

After restarting systemd's firewalld.service, you can see that the permanent rule changes I made to the internal zone with firewall-cmd finally appear:

$ firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: enp1s0
  sources: 
  services: dhcpv6-client mdns mountd nfs rpc-bind rsyncd samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

*Note: although firewalld calls "rpcbind" rpc-bind, the name of the systemd service is rpcbind.service, not rpc-bind.service.


Update 2015-07-10

On another Archlinux machine using the Openbox Desktop Environment, reloading firewalld rules with firewall-cmd --reload works just fine. The problem I have described in this post occurred on an Archlinux machine using the LXDE desktop environment. Perhaps the problems I experienced are somehow related to LXDE?

References:

https://fedoraproject.org/wiki/User:Renich/HowTo/NFSv4 (with firewalld)

https://fedoraproject.org/wiki/FirewallD#Using_firewall-cmd