Firewalld hiccups and troubleshooting after upgrading to SLES 15 SP3 or later

This document (000020399) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP3

Situation

After Upgrading to SLES 15 SP3 and later, the firewalld service refuses to start or generally behaves erratically.
With this upgrade, this package has made a major development step, which, depending on the scope of the existing firewall configuration, requires some customization.

Resolution

Firewalld adjustments after upgrade

Before you start, make sure to keep a copy of /etc/firewalld somewhere, e.g.
$ cd /etc
$ cp -a firewalld firewalld-$(date +%Y%m%d-%H%M%S)

Now check all files in /etc/firewalld for .rpm* and .old extensions. Most probably, you will find a file called firewalld.conf.rpmnew. The .rpmnew file contains the new default configuration for firewalld. Check whether you have any non default settings that are essential to the correct functioning of your firewall:
$ diff -u firewalld.conf{,.rpmnew} > firewalld.conf.diff
$ cp firewalld.conf{.rpmnew,}

$ vi -o firewalld.conf{,.diff}
Specifically, check/restore the DefaultZone setting. Most other settings should be left at the new value, or  don't exist anymore. Please do the same for all .old files.

The operation of new default firewall backend nftables is more strict in certain areas, eg. when using ipsets, make sure, that the address spaces do not overlap. Please read the "Additional Information" section, if you changed your firewall backend.
$ systemctl restart firewalld.service

Your firewall setup should be operational now. Check with:
$ systemctl status firewalld.service
 

Firewalld debugging

If the firewalld service still fails, and system logs doesn't show an obvious reason, we need to conduct a couple of steps to reveal the cause since debugging output is disabled by default.

$ systemctl edit --full firewalld.service
Comment out the lines
Standard{Output,Error}=null

Change /etc/sysconfig/firewalld:
# firewalld command line args
# possible values: --debug
FIREWALLD_ARGS=--debug=2


Restart the firewall:
$ systemctl restart firewalld.service

If it still doesn't work properly, please check the logs:
$ journalctl -u firewalld.service

If you are unable to troubleshot the problem with the debug output, please open a support case and provide a supportconfig and use tar to compress the full /etc/firewalld tree:

$ cd /etc/
$ tar cvf /tmp/etc-firewalld-$(date +%Y%m%d-%H%M%S).tar.gz firewalld

and provide the file /tmp/etc-firewalld-*.tar.gz together with the supportconfig.

Status

Reported to Engineering

Additional Information

The default firewalld backend changed from "iptables" to "nftables" in order to overcome a couple of limitations, and to reduce the dependency to a single kernel filtering framework.

Please note, that for internal reasons, you should reboot the system, if you change the firewall backend.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020399
  • Creation Date: 06-Dec-2021
  • Modified Date:06-Dec-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center