FirewallD setup questions

[PeteS]

I may be totally misunderstanding thins, but... How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation says:

1. Run the yum install firewalld command to ensure that your system has firewalld installed.
2. Run the systemctl start firewalld.service command to start the firewalld service.
3. Run the /scripts/configure_firewall_for_cpanel script.

I have followed the above instructions. I am wanting to confirm whether or not firewalld needs to be enabled (systemctl enable firewalld).

Is there a way to manage firewalld from within WHM?

Are these warnings a concern (systemctl status firewalld)?
WARNING: Invalid module 'iptable_filter'
WARNING: Invalid module 'ip6table_filter'

 

[cPanelMichael]

Hello @PeteS.

I have followed the above instructions. I am wanting to confirm whether or not firewalld needs to be enabled (systemctl enable firewalld).

It should run by default after starting the service, but you can also use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted.

Is there a way to manage firewalld from within WHM?

It's not possible through any cPanel & WHM features, but you can install a firewall management utility such as CSF to manage your firewall rules from WHM:

ConfigServer Security & Firewall (csf)

Are these warnings a concern (systemctl status firewalld)?
WARNING: Invalid module 'iptable_filter'
WARNING: Invalid module 'ip6table_filter'

This suggests those iptables modules are not enabled for your VPS. You can check with your VPS hosting provider to see if it's possible to enable those modules on your server from the hardware node.

Thank you.

 

[PeteS]

Hello @PeteS.



It should run by default after starting the service, but you can also use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted.

If not enabled, only started, after reboot status I'm getting is:

"● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)"

What am I missing?

 

[cPanelMichael]

Hello,

You have to use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted. Since you mentioned rebooting the server, firewalld won't start automatically if you have not ran the "systemctl enable firewalld" command.

Thank you.

 

[PeteS]

Hello,

You have to use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted. Since you mentioned rebooting the server, firewalld won't start automatically if you have not ran the "systemctl enable firewalld" command.

Thank you.

Ok, I'm not asking this correctly, I guess...

Given what you just wrote: Then why wouldn't the instructions say to enable it to run all the time? What would be the point of running it one time?

 

[cPanelMichael]

Hello,

I've opened a case with our Documentation Team (DOC-9131) to request an addition to this document to note that running "systemctl enable firewalld" is required to ensure this service starts when the server boots.

Thank you.

Update: The changes are now reflected on the following document:

How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[PeteS]

Hello @PeteS.

This suggests those iptables modules are not enabled for your VPS. You can check with your VPS hosting provider to see if it's possible to enable those modules on your server from the hardware node.

Thank you.

Hi,

To follow up on the warnings: I don't think it matters, but I'm on a dedicated server (not VPS). I'm not using CFS, only firewalld. My assumption was that firewalld does not use iptables at all, and so the warning could be safely ignored. Please explain or correct as appropriate. Thanks!

 

[cPanelMichael]

To follow up on the warnings: I don't think it matters, but I'm on a dedicated server (not VPS). I'm not using CFS, only firewalld. My assumption was that firewalld does not use iptables at all, and so the warning could be safely ignored. Please explain or correct as appropriate. Thanks!

Hello,

What Operating System and Kernel are you running on this server? EX:

cat /etc/redhat-release
uname -r

Thank you.

 

[PeteS]

CentOS Linux release 7.3.1611 (Core)
3.10.0-514.21.2.el7.x86_64

Update: I simply commented out the two line in cpanel.xml that were trying to load the modules, which stopped the error of course.

My understanding now is that firewalld uses the iptables commands, but not the service: "The iptables command is actually used by firewalld itself, but the iptables service is not installed on CentOS 7 by default." (How To Migrate from FirewallD to Iptables on CentOS 7 | DigitalOcean)

So maybe this resolves it. Do you agree?

 

[cPanelMichael]

Hello,

Removing those lines from the cpanel.xml file should act as a workaround based on reports from other customers. Note that we do have internal case CPANEL-752 open to address an issue where the "configure_firewall_for_cpanel" script fails to configure firewalld on CentOS 7 servers when the "iptables" kernel modules are unavailable. I'll monitor the case and update this thread with more information once it's available.

Thank you.

 

[PeteS]

Perfect, I'll stand by, thank you!

 

[cPanelMichael]

Hello,

There's currently no time frame available for the release of any potential changes from that case. It's likely a good idea to install a firewall management utility such as CSF to handle all of your firewall rules:

ConfigServer Security & Firewall (csf)

Thank you.

 

[PeteS]

Thank you, I understand. I just meant that I would await that reply, but not expecting anything soon.

I'm comfortable with firewalld at this time, but can switch to CSF in the future if desired.

What would be cool is an interface in WHM for the firewall-cmd CLI commands. It seems pretty feasible to me to have it show current settings and allow changes (temporary and permanent) as well as many other features. Is there a feature request for this already?

I know there is a firewall-config GUI for firewalld, but I have no desire to enable that from the command line. I don't know if it would be possible for WHM to leverage that for use in its interface, but that might be a cool thing.

 

[cPanelMichael]

Hello,

There's a feature request here for a firewall management option in WHM:

Firewall Management

Thanks!

 

[PeteS]

That's not what I was suggesting, nor are any others I found by searching feature requests. I did see some people's comments that had a similar idea. Sadly I wasn't able to register and participate w/o an "invite." Care to hook me up?

 

[Infopro]

That invite code thing is not supposed to be there. Ill report it, please try registering later in the day.

 

[cPanelUser-Inactive]

That's not what I was suggesting, nor are any others I found by searching feature requests. I did see some people's comments that had a similar idea. Sadly I wasn't able to register and participate w/o an "invite." Care to hook me up?

While the field is displayed, you shouldn't need one to get registered. I'm working on getting the field removed as well, to prevent confusion.