FirewallD setup questions

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
I may be totally misunderstanding thins, but... How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation says:

  1. Run the yum install firewalld command to ensure that your system has firewalld installed.
  2. Run the systemctl start firewalld.service command to start the firewalld service.
  3. Run the /scripts/configure_firewall_for_cpanel script.
I have followed the above instructions. I am wanting to confirm whether or not firewalld needs to be enabled (systemctl enable firewalld).

Is there a way to manage firewalld from within WHM?

Are these warnings a concern (systemctl status firewalld)?
WARNING: Invalid module 'iptable_filter'
WARNING: Invalid module 'ip6table_filter'
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello @PeteS.

I have followed the above instructions. I am wanting to confirm whether or not firewalld needs to be enabled (systemctl enable firewalld).
It should run by default after starting the service, but you can also use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted.

Is there a way to manage firewalld from within WHM?
It's not possible through any cPanel & WHM features, but you can install a firewall management utility such as CSF to manage your firewall rules from WHM:

ConfigServer Security & Firewall (csf)

Are these warnings a concern (systemctl status firewalld)?
WARNING: Invalid module 'iptable_filter'
WARNING: Invalid module 'ip6table_filter'
This suggests those iptables modules are not enabled for your VPS. You can check with your VPS hosting provider to see if it's possible to enable those modules on your server from the hardware node.

Thank you.
 

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
Hello @PeteS.



It should run by default after starting the service, but you can also use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted.
If not enabled, only started, after reboot status I'm getting is:

"● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)"

What am I missing?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

You have to use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted. Since you mentioned rebooting the server, firewalld won't start automatically if you have not ran the "systemctl enable firewalld" command.

Thank you.
 

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
Hello,

You have to use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted. Since you mentioned rebooting the server, firewalld won't start automatically if you have not ran the "systemctl enable firewalld" command.

Thank you.
Ok, I'm not asking this correctly, I guess...

Given what you just wrote: Then why wouldn't the instructions say to enable it to run all the time? What would be the point of running it one time?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Last edited:
  • Like
Reactions: PeteS

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
Hello @PeteS.

This suggests those iptables modules are not enabled for your VPS. You can check with your VPS hosting provider to see if it's possible to enable those modules on your server from the hardware node.

Thank you.
Hi,

To follow up on the warnings: I don't think it matters, but I'm on a dedicated server (not VPS). I'm not using CFS, only firewalld. My assumption was that firewalld does not use iptables at all, and so the warning could be safely ignored. Please explain or correct as appropriate. Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
To follow up on the warnings: I don't think it matters, but I'm on a dedicated server (not VPS). I'm not using CFS, only firewalld. My assumption was that firewalld does not use iptables at all, and so the warning could be safely ignored. Please explain or correct as appropriate. Thanks!
Hello,

What Operating System and Kernel are you running on this server? EX:

Code:
cat /etc/redhat-release
uname -r
Thank you.
 

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
CentOS Linux release 7.3.1611 (Core)
3.10.0-514.21.2.el7.x86_64

Update: I simply commented out the two line in cpanel.xml that were trying to load the modules, which stopped the error of course.

My understanding now is that firewalld uses the iptables commands, but not the service: "The iptables command is actually used by firewalld itself, but the iptables service is not installed on CentOS 7 by default." (How To Migrate from FirewallD to Iptables on CentOS 7 | DigitalOcean)

So maybe this resolves it. Do you agree?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

Removing those lines from the cpanel.xml file should act as a workaround based on reports from other customers. Note that we do have internal case CPANEL-752 open to address an issue where the "configure_firewall_for_cpanel" script fails to configure firewalld on CentOS 7 servers when the "iptables" kernel modules are unavailable. I'll monitor the case and update this thread with more information once it's available.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

There's currently no time frame available for the release of any potential changes from that case. It's likely a good idea to install a firewall management utility such as CSF to handle all of your firewall rules:

ConfigServer Security & Firewall (csf)

Thank you.
 

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
Thank you, I understand. I just meant that I would await that reply, but not expecting anything soon.

I'm comfortable with firewalld at this time, but can switch to CSF in the future if desired.

What would be cool is an interface in WHM for the firewall-cmd CLI commands. It seems pretty feasible to me to have it show current settings and allow changes (temporary and permanent) as well as many other features. Is there a feature request for this already?

I know there is a firewall-config GUI for firewalld, but I have no desire to enable that from the command line. I don't know if it would be possible for WHM to leverage that for use in its interface, but that might be a cool thing.
 

PeteS

Well-Known Member
Jun 8, 2017
324
67
78
Oregon
cPanel Access Level
Root Administrator
That's not what I was suggesting, nor are any others I found by searching feature requests. I did see some people's comments that had a similar idea. Sadly I wasn't able to register and participate w/o an "invite." Care to hook me up?
 
C

cPanelUser-Inactive

Guest
That's not what I was suggesting, nor are any others I found by searching feature requests. I did see some people's comments that had a similar idea. Sadly I wasn't able to register and participate w/o an "invite." Care to hook me up?
While the field is displayed, you shouldn't need one to get registered. I'm working on getting the field removed as well, to prevent confusion.