[Solved] firewall-cmd ipset removal

Issues related to applications and software problems
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

[Solved] firewall-cmd ipset removal

Post by lightman47 » 2019/01/19 18:26:01

Some time back I implemented an ipset called networkblock and have since come to think it isn't working or my scope was wrong. To that end and using man pages & web searches, I was able to successfully delete the ipset with firewall-cmd --permanent --delete-ipset=networkblock.

After a subsequent reboot, I did a systemctl status firewalld -l. The service started and is running, but is now complaining about the ipset reference I'd likely placed in the drop zone (I don't understand a lot of this).

Code: Select all

firewalld[4046]: WARNING: drop: INVALID_IPSET: networkblock
I've again browsed and read the man pages and can't seem to find the command that will "disconnect" the now gone ipset from the drop zone. My fear is that banging-away at firewalld with trial commands to 'see if it works', like I'd know, may disable things I don't want disabled (I've already made some attempts).

I'd appreciate your help. Apologies, and thank you.
Last edited by lightman47 on 2019/01/23 14:31:29, edited 1 time in total.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: firewall-cmd ipset removal

Post by hunter86_bg » 2019/01/21 10:57:12

Can you paste the firewall-cmd output ?

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewall-cmd ipset removal

Post by lightman47 » 2019/01/21 13:13:34

Certainly (in it's entirety) -

Code: Select all

$ sudo systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-01-20 09:08:07 EST; 23h ago
     Docs: man:firewalld(1)
 Main PID: 4037 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─4037 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jan 20 09:08:06 wmachine.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 20 09:08:07 wmachine.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Jan 20 09:08:15 wmachine.domain firewalld[4037]: WARNING: drop: INVALID_IPSET: networkblock

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewall-cmd ipset removal

Post by lightman47 » 2019/01/22 19:01:48

Obviously, I've successfully deleted the ipset, but firewalld retains some reference in the DROP zone (where I placed it). BTW - all the setup for this ipset was done via command line, not the gui. It never did show up in the gui - something about which I'd always wondered.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: firewall-cmd ipset removal

Post by hunter86_bg » 2019/01/22 20:57:47

Have you tried:

Code: Select all

grep -R networkblock /etc/firewalld/
At least can give a hint where exactly is that stuff...

Edit: Also running

Code: Select all

firewall-cmd --list-all-zones
might show any entry you might have forgotten.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewall-cmd ipset removal

Post by lightman47 » 2019/01/23 14:31:00

OK - your first command resulted in output from drop.xml that included the ipset name (networkblock).

After comparing to another system, the other system contained NO drop.xml at all. I then used your second command (list all zones) on both systems - the results were identical.

Based upon that, I removed the drop.xml file from the 'problem' server and rebooted it. The error is now gone!

Thankyou

Post Reply