Firewalld enable problem - shows up with xrdp

Support for security such as Firewalls and securing linux
Post Reply
BGood
Posts: 18
Joined: 2016/12/25 02:40:14

Firewalld enable problem - shows up with xrdp

Post by BGood » 2017/11/08 16:26:15

I recently installed the minimal server version of CentOS Linux release 7.4.1708 (Core) on a dedicated PC on my home LAN, and am accessing the PC using Windows 7 Remote Desktop using xrdp/tigervnc and a MATE desktop as the graphical target over eth0. After considerable trial and error configuration, this seems to be working well.

What I don't understand is why I need to login to Centos via a putty session and type 'firewalld' from a command prompt in order for the Windows Remote Desktop session to connect. The version of firewalld is 0.4.4.4. Public zone is permanent with eth0 interface allowing http, https, ssh and port 3389 traffic.

Typical /var/log/firewalld log entries are:

Code: Select all

2017-11-08 10:03:20 WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
2017-11-08 10:03:20 WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
2017-11-08 10:03:20 WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
2017-11-08 10:03:20 WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
2017-11-08 10:03:20 WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
2017-11-08 10:03:20 WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
2017-11-08 10:03:20 WARNING: ICMP type 'address-unreachable' is not supported by the kernel for ipv4.
2017-11-08 10:03:20 ERROR: Failed to load icmptype file '/etc/firewalld/icmptypes/address-unreachable.xml':
2017-11-08 10:03:20 WARNING: ICMP type 'bad-header' is not supported by the kernel for ipv4.
2017-11-08 10:03:20 ERROR: Failed to load icmptype file '/etc/firewalld/icmptypes/bad-header.xml':
Any ideas what I'm doing wrong or what might be causing these logged warnings and errors? Thanks.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld enable problem - shows up with xrdp

Post by TrevorH » 2017/11/08 17:05:25

Before you run firewalld from the putty session, what does systemctl status firewalld say?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

BGood
Posts: 18
Joined: 2016/12/25 02:40:14

Re: Firewalld enable problem - shows up with xrdp

Post by BGood » 2017/11/08 17:22:54

Thanks for the reply TrevorH. After rebooting and before typing 'firewalld', here's the result from 'systemctl status firewalld -l' at the command line:

Code: Select all

â firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2017-11-08 11:09:22 MST; 8min ago
     Docs: man:firewalld(1)
 Main PID: 716 (firewalld)
   CGroup: /system.slice/firewalld.service
           ââ716 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: ICMP type 'address-unreachable' is not supported by the kernel for ipv4.
Nov 08 11:09:22 asw.dev firewalld[716]: ERROR: Failed to load icmptype file '/etc/firewalld/icmptypes/address-unreachable.xml':
Nov 08 11:09:22 asw.dev firewalld[716]: WARNING: ICMP type 'bad-header' is not supported by the kernel for ipv4.
Nov 08 11:09:22 asw.dev firewalld[716]: ERROR: Failed to load icmptype file '/etc/firewalld/icmptypes/bad-header.xml':

fishface
Posts: 27
Joined: 2016/08/02 15:47:42

Re: Firewalld enable problem - shows up with xrdp

Post by fishface » 2017/11/20 18:31:41

If you have disabled IPv6 at any point you will see the IPv6 warning messages, I would concentrate on the error messages.

The defaults for "address-unreachable.xml" are in /usr/lib/firewalld/icmptypes, you might want to start looking into that.

Post Reply