systemd dependency issue bkz of firewalld-iptables replacmnt

Support for security such as Firewalls and securing linux
yngens
Posts: 29
Joined: 2010/10/24 02:02:35

systemd dependency issue bkz of firewalld-iptables replacmnt

Postby yngens » 2016/01/13 09:58:56

I am so used to iptables, that on every CentOS 7.x based system replace firewalld with it. So far there was no problems, at least noticeable ones. However, today I looked at the /var/log/messages on one of such CentOS systems and found out systemd complains about firewalld.service dependency:

Code: Select all

Jan 13 01:45:36 ns1 systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.

How can I configure systemd to use iptables and stop complaining about firewalld?

giulix63
Posts: 1306
Joined: 2014/05/14 10:06:37
Location: CE(S)T
Contact:

Re: systemd dependency issue bkz of firewalld-iptables repla

Postby giulix63 » 2016/01/13 10:19:49

Please, post the output of the following command run as root:

Code: Select all

find /usr/lib/systemd/system -type f -exec grep -Hi firewalld {} \;

To use iptables, after masking firewalld as you already did, install and enable the iptables-services package.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

yngens
Posts: 29
Joined: 2010/10/24 02:02:35

Re: systemd dependency issue bkz of firewalld-iptables repla

Postby yngens » 2016/01/13 15:08:35

giulix63 wrote:Please, post the output of the following command run as root:

Code: Select all

find /usr/lib/systemd/system -type f -exec grep -Hi firewalld {} \;



Here is the output:

find /usr/lib/systemd/system -type f -exec grep -Hi firewalld {} \;
/usr/lib/systemd/system/firewalld.service:Description=firewalld - dynamic firewall daemon
/usr/lib/systemd/system/firewalld.service:EnvironmentFile=-/etc/sysconfig/firewalld
/usr/lib/systemd/system/firewalld.service:ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
/usr/lib/systemd/system/firewalld.service:BusName=org.fedoraproject.FirewallD1
/usr/lib/systemd/system/firewalld.service:Alias=dbus-org.fedoraproject.FirewallD1.service


giulix63 wrote:To use iptables, after masking firewalld as you already did, install and enable the iptables-services package.


It seems I had already installed and been using it:

yum install iptables-services
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.sonn.com
* extras: mirrors.unifiedlayer.com
* updates: mirrors.sonic.net
Package iptables-services-1.4.21-16.el7.x86_64 already installed and latest version
Nothing to do


but how to get rid of that message in the log?

giulix63
Posts: 1306
Joined: 2014/05/14 10:06:37
Location: CE(S)T
Contact:

Re: systemd dependency issue bkz of firewalld-iptables repla

Postby giulix63 » 2016/01/13 15:45:07

Your output is consistent with one on a system running firewalld. Is the iptables service enabled and running?

Code: Select all

systemctl -l status iptables

Apart from that, I wouldn't know of any more places to look at. It is just a warning, anyway...
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

yngens
Posts: 29
Joined: 2010/10/24 02:02:35

Re: systemd dependency issue bkz of firewalld-iptables repla

Postby yngens » 2016/01/13 23:15:11

giulix63 wrote:Your output is consistent with one on a system running firewalld.


Yep, but firewalld had been masked and stopped from the very beginning:

Code: Select all

systemctl mask firewalld
systemctl stop firewalld
systemctl enable iptables
systemctl start iptables


giulix63 wrote:Is the iptables service enabled and running? Apart from that, I wouldn't know of any more places to look at. It is just a warning, anyway...


Yes, it is running per:

Code: Select all

systemctl -l status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2015-12-27 09:40:43 PST; 2 weeks 3 days ago
  Process: 908 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 908 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/iptables.service

Dec 27 09:40:42 ns1.myhost.com systemd[1]: Starting IPv4 firewall with iptables...
Dec 27 09:40:43 ns1.myhost.com iptables.init[908]: iptables: Applying firewall rules: [  OK  ]
Dec 27 09:40:43 ns1.myhots.com systemd[1]: Started IPv4 firewall with iptables.


Well, I know it's just a notice, but anyway it tells us the system somewhere is trying to interact with firewalld and it would be nice to track the exact place and replace the setting to iptables to make transition to iptables perfect.
Last edited by yngens on 2017/09/01 21:29:59, edited 1 time in total.

giulix63
Posts: 1306
Joined: 2014/05/14 10:06:37
Location: CE(S)T
Contact:

Re: systemd dependency issue bkz of firewalld-iptables repla

Postby giulix63 » 2016/01/14 08:04:11

yngens wrote:Yep, but firewalld had been masked and stopped from the very beginning:

What I meant is that there is no evident difference between your configuration and one that uses firewalld to explain that message. That being said, you're right, although probably you won't find much interest in getting support for fixing cosmetic issues on something that is about to be decommissioned... Just my opinion, anyway.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

yngens
Posts: 29
Joined: 2010/10/24 02:02:35

Re: systemd dependency issue bkz of firewalld-iptables repla

Postby yngens » 2016/01/14 09:29:31

giulix63 wrote:something that is about to be decommissioned...


You mean iptables? I though it is a solid one and would be around for a while. In that case I should probably start getting accustomed to firewalld. Thanks anyway!

yngens
Posts: 29
Joined: 2010/10/24 02:02:35

Re: systemd dependency issue bkz of firewalld-iptables replacmnt

Postby yngens » 2017/09/01 21:34:45

This guy fixed it by reenabling gdm service, which didn't help in our case:
http://raindocs.blogspot.com/2016/09/ca ... -unit.html

So I believe the right service which is related to firewalld needs to be identified.


Return to “CentOS 7 - Security Support”

Who is online

Users browsing this forum: No registered users and 2 guests