The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FirewallD setup questions

Discussion in 'Security' started by PeteS, Jun 19, 2017.

Tags:
  1. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    I may be totally misunderstanding thins, but... How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation says:

    1. Run the yum install firewalld command to ensure that your system has firewalld installed.
    2. Run the systemctl start firewalld.service command to start the firewalld service.
    3. Run the /scripts/configure_firewall_for_cpanel script.
    I have followed the above instructions. I am wanting to confirm whether or not firewalld needs to be enabled (systemctl enable firewalld).

    Is there a way to manage firewalld from within WHM?

    Are these warnings a concern (systemctl status firewalld)?
    WARNING: Invalid module 'iptable_filter'
    WARNING: Invalid module 'ip6table_filter'
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @PeteS.

    It should run by default after starting the service, but you can also use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted.

    It's not possible through any cPanel & WHM features, but you can install a firewall management utility such as CSF to manage your firewall rules from WHM:

    ConfigServer Security & Firewall (csf)

    This suggests those iptables modules are not enabled for your VPS. You can check with your VPS hosting provider to see if it's possible to enable those modules on your server from the hardware node.

    Thank you.
     
  3. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    If not enabled, only started, after reboot status I'm getting is:

    "● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
    Active: inactive (dead)"

    What am I missing?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You have to use the "systemctl enable firewalld" command if you want to ensure it starts when the server is booted. Since you mentioned rebooting the server, firewalld won't start automatically if you have not ran the "systemctl enable firewalld" command.

    Thank you.
     
  5. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Ok, I'm not asking this correctly, I guess...

    Given what you just wrote: Then why wouldn't the instructions say to enable it to run all the time? What would be the point of running it one time?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I've opened a case with our Documentation Team (DOC-9131) to request an addition to this document to note that running "systemctl enable firewalld" is required to ensure this service starts when the server boots.

    Thank you.
     
    PeteS likes this.
  7. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Hi,

    To follow up on the warnings: I don't think it matters, but I'm on a dedicated server (not VPS). I'm not using CFS, only firewalld. My assumption was that firewalld does not use iptables at all, and so the warning could be safely ignored. Please explain or correct as appropriate. Thanks!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    What Operating System and Kernel are you running on this server? EX:

    Code:
    cat /etc/redhat-release
    uname -r
    Thank you.
     
  9. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    CentOS Linux release 7.3.1611 (Core)
    3.10.0-514.21.2.el7.x86_64

    Update: I simply commented out the two line in cpanel.xml that were trying to load the modules, which stopped the error of course.

    My understanding now is that firewalld uses the iptables commands, but not the service: "The iptables command is actually used by firewalld itself, but the iptables service is not installed on CentOS 7 by default." (How To Migrate from FirewallD to Iptables on CentOS 7 | DigitalOcean)

    So maybe this resolves it. Do you agree?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Removing those lines from the cpanel.xml file should act as a workaround based on reports from other customers. Note that we do have internal case CPANEL-752 open to address an issue where the "configure_firewall_for_cpanel" script fails to configure firewalld on CentOS 7 servers when the "iptables" kernel modules are unavailable. I'll monitor the case and update this thread with more information once it's available.

    Thank you.
     
  11. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Perfect, I'll stand by, thank you!
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    There's currently no time frame available for the release of any potential changes from that case. It's likely a good idea to install a firewall management utility such as CSF to handle all of your firewall rules:

    ConfigServer Security & Firewall (csf)

    Thank you.
     
  13. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Thank you, I understand. I just meant that I would await that reply, but not expecting anything soon.

    I'm comfortable with firewalld at this time, but can switch to CSF in the future if desired.

    What would be cool is an interface in WHM for the firewall-cmd CLI commands. It seems pretty feasible to me to have it show current settings and allow changes (temporary and permanent) as well as many other features. Is there a feature request for this already?

    I know there is a firewall-config GUI for firewalld, but I have no desire to enable that from the command line. I don't know if it would be possible for WHM to leverage that for use in its interface, but that might be a cool thing.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,980
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    There's a feature request here for a firewall management option in WHM:

    Firewall Management

    Thanks!
     
  15. PeteS

    PeteS Member

    Joined:
    Jun 8, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    That's not what I was suggesting, nor are any others I found by searching feature requests. I did see some people's comments that had a similar idea. Sadly I wasn't able to register and participate w/o an "invite." Care to hook me up?
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,616
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That invite code thing is not supposed to be there. Ill report it, please try registering later in the day.
     
  17. cPanelBenny

    cPanelBenny Community Manager, Development, dog scratcher
    Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    61
    Likes Received:
    28
    Trophy Points:
    93
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    While the field is displayed, you shouldn't need one to get registered. I'm working on getting the field removed as well, to prevent confusion.
     
Loading...

Share This Page