firewall-cmd from cron script

[analytical360]

I modified an automatic blacklist script originally written for iptables, to work with firewalld. One part of the script uses firewall-cmd to make sure the rule blocking an ipset is in place, and to create the rule if it is not. The script works great if called from the command line, but when I call it from cron.daily, I get the following error:

Code: Select all

ERROR:dbus.proxies:Introspect error on :1.68:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

the script hangs at that point, so whatever comes after it in cron.daily never runs.

Commenting out the section of the script that uses firewall-cmd allows the script to run, but I don't like that it's not checking to make sure the rule is in place, in case somehow the rule got removed (accidentally or maliciously).

I initially thought the problem was that the script, and thus firewall-cmd, wasn't being run as root, however when it freezes, the processes are still there, and I can see that they are all run as root.

Is there something I can change that will allow firewall-cmd to function when called from a cron job? Does it have something to do with either the permissions of the script or dbus security policy? I can't seem to find any other references to this problem.

Thanks,

Jeff

[aks]

There's is a DBus interface in firewalld (see firewalld.dbus) for use by non-interactive applications and services.
Would it be possible to post your script?

[analytical360]

The script is pretty big, but mostly irrelevant. The portion that causes the problem is this:

Code: Select all

if ! firewall-cmd --direct --get-all-rules|command grep -q "match-set $IPSET_BLACKLIST_NAME"; then
    if [[ ${FORCE:-no} != yes ]]; then
    echo >&2 "Error: firewalld does not have the needed ipset INPUT rule, add it using:"
    echo >&2 "# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set $IPSET_BLACKLIST_NAME src -j REJECT --reject-with icmp-port-unreachable"
    exit 1
    fi
    if ! firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set "$IPSET_BLACKLIST_NAME" src -j REJECT --reject-with icmp-port-unreachable; then
    echo >&2 "Error: while adding the --match-set ipset rule to firewalld"
    exit 1
    fi
    firewall-cmd --reload
fi

[aks]

Okay, so I ran that snippet as root (root's cron) and got the expected output:

Error: firewalld does not have the needed ipset INPUT rule, add it using:
# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set src -j REJECT --reject-with icmp-port-unreachable

(I removed the --permanent bits). The script exited 1 (as expected).

Do you have to use --direct? That could be the root of the issue (or perhaps it's the --permanent)?

Also check selinux for problems.

[analytical360]

Strange. Both the --direct and the --permanent are necessary. Would it make a difference if it's run from cron.daily vs. directly adding it to crontab? I'm running it from cron.daily.

[aks]

Would it make a difference if it's run from cron.daily vs. directly adding it to crontab?

I'm not 100% sure - why not try it (and perhaps run it as a root scheduled job - i.e.: crontab -e)

AFAIK, there are two crons in CentOS: crond and anacron. The difference between them is that cron can runs jobs every minute, but assumes the system is running continuously and if the system is not on at the time when a job is scheduled, the job is not executed (not sure what happens with things like deep sleep here). On the other hand, Anacron remembers the scheduled jobs if the system is not running at the time when the job is scheduled. The job is then executed as soon as the system is up. However, Anacron can only run a job once a day. Anacron is configured via /etc/anacrontab. (Most of that is lifted from the docs).

You can deny access to cron via /etc/cron.deny and /etc/cron.allow and you can blacklist/whitelist jobs with /etc/cron.daily/jobs.deny & /etc/cron.daily/jobs.allow

What's about all I can think of with cron/anacron and running or not running jobs.

Docs may provide additional inspiration: https://access.redhat.com/documentation ... on-anacron