Checking my 4 CentOS 7 systems, I was lucky. The first to upgrade was my local, and by breaking my Internet connectivity entirely, I had time to turn off the automated updates on two of the other 3 (one was off) before they upgraded. All the three 7.5 systems are still running 0.4.4.4, although two are release 14.el7, one is strangely 15.el7_5.
The broken system has not altered the firewalld config files under /etc/firewalld. I am aware of the ipset changes, which may affect if/how fail2ban works, but this is not my current concern. There is no sign of this issue in upstream known issues, or errata. To be clear, my un-updated systems have iptables chains in the filter table with "trusted" in the name, 24 times. such as IN_trusted_allow. My updated system has 0 - none. The zones themselves still exist, my internal interface is still in the "trusted" zone, but there are no chains for "trusted", so no firewall rules, all "trusted" traffic falls through to log and drop defaults.
Any assistance would be appreciated. For the first time I can recall, I have no idea how to troubleshoot this. Since it is a rebase, not just an upgrade, I can't even downgrade to 0.4.4.4, as it is no longer visible to yum. (Yes, I intend to find my way around that, although with unknown possible repurcussions).
Code: Select all
firewall-cmd --list-all --zone=trusted
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: snmp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: