Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

firewalld update causes all connections to be refused

Discussion in 'General Discussion' started by PeteS, Sep 14, 2017.

Tags:
  1. PeteS

    PeteS Active Member

    Joined:
    Jun 8, 2017
    Messages:
    31
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Hello,

    firewalld's cPanel zone file was reset after the recent cPanel update (What the heck, cPAnel! o_O ) Since use a different port than 22 I couldn't SSH in! This took longer to deal with than the httpd issue...
     
    #1 PeteS, Sep 14, 2017
    Last edited by a moderator: Sep 14, 2017
  2. PeteS

    PeteS Active Member

    Joined:
    Jun 8, 2017
    Messages:
    31
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    I'm just posting this as an FYI for anyone else having the issue. (My data center reported others with the same issue after this update.

    Also: CentOS 7.3
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    There are currently two separate issues relevant to this thread.

    1. We recently published a resolution to address an issue where updating the firewalld package through YUM can block access to services on systems using version 7.4 of CentOS or CloudLinux.

    For systems using cPanel version 64 and CentOS 7.4, this is fixed as of 64.0.39 with the following case:

    Fixed case CPANEL-15761: Update firewalld rules automatically for CentOS 7.4.

    For systems using cPanel version 64 and CloudLinux 7.4, this is fixed as of 64.0.38 with the following case:

    Fixed case CPANEL-15104: Make firewalld rules compatible with CloudLinux 7.4.

    For systems using cPanel version 66 and CentOS 7.4, this is fixed as of 66.0.19 with the following case:

    Fixed case CPANEL-15545: Update firewalld rules automatically for CentOS 7.4.

    For systems using cPanel version 66 and CloudLinux 7.4, this is fixed as of 66.0.15 with the following case:

    Fixed case CPANEL-15104: Make firewalld rules compatible with CloudLinux 7.4.

    If you are using earlier versions of cPanel and are unable to update to a newer version at this time, then a temporary workaround is to remove the following lines from the /etc/firewalld/services/cpanel.xml file:

    Code:
    <module name="iptable_filter"/>
    <module name="ip6table_filter"/>
    Once you remove these lines and save the file, run the following command:

    Code:
    systemctl restart firewalld
    Note that running the "/usr/local/cpanel/scripts/configure_firewall_for_cpanel" command will reinsert those lines, so the better solution going forward is to update cPanel to a version that includes the published resolutions.

    2. Additionally, internal case CPANEL-15828 is now open to track reports of this happening on versions of cPanel that already include one the resolutions referenced above. The following command is available as a temporary workaround for this particular issue:

    Code:
    /usr/local/cpanel/scripts/configure_firewall_for_cpanel
    I'll monitor internal case CPANEL-15828 and update this thread with more information as it becomes available.

    To update, the second issue was not reproducible. The issue reported here looks to relate to the cases referenced above.

    Thank you.
     
    #3 cPanelMichael, Sep 14, 2017
    Last edited: Sep 18, 2017 at 1:12 PM
  4. tvirtualw

    tvirtualw Registered

    Joined:
    Jan 28, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Germany
    Same issue here. But WHM wasn't updated (still on WHM 64.0 (build 33)).
    It seems it happened after CentOS 7.3 system updates.
    When I stop the firewalld service, I can access services again.
    Please advise if there is any workaround besides stopping firewalld.

    Thanks!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @tvirtualw,

    I updated my previous response with some additional information about this issue. Let me know if updating to a newer version of cPanel 64 addresses the issue (64.0.39 is available on the Stable build tier).

    Thank you.
     
  6. tvirtualw

    tvirtualw Registered

    Joined:
    Jan 28, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Germany
    I've updated to 64.0.39 and rebooted the server. Services were unreachable after reboot due to the firewalld issue.
    I then ran the configure_firewall_for_cpanel script which removed the lines from cpanel.xml. Now it's working.
    I had the firewalld service stopped before updating WHM. It seems the configure script wants firewalld running to do it's magic. This might have been the reason why the fix was not applied automatically and I had to run it manually.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    That's correct. The following script is utilized during the installation and during updates to populate the correct rules in the /etc/firewalld/services/cpanel.xml file:

    Code:
    /scripts/configure_firewall_for_cpanel
    If "firewalld" is not running, it will not populate those rules and instead the following text is output:

    Code:
    #  /scripts/configure_firewall_for_cpanel
    The firewalld service is currently inactive. To enable and start the firewalld service before you configure it, run the following commands: systemctl enable firewalld && systemctl start firewalld 
    If you prefer to not use firewalld on your system, remember to disable it at system startup as well:

    Code:
    systemctl disable firewalld.service
    Otherwise, it will start back up when your system boots and won't receive the updated rules until the next cPanel update or until manually running the "/scripts/configure_firewall_for_cpanel" command.

    Thank you.
     
  8. PeteS

    PeteS Active Member

    Joined:
    Jun 8, 2017
    Messages:
    31
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Dear mod: if you hack my post into two it would be helpful to note that with a link. ;) At first I thought you just grossly edited my post here without comment, until I stumbled on the other post you created for me. Just a suggestion...

    Re: this issue

    These lines,

    <module name="iptable_filter"/>
    <module name="ip6table_filter"/>

    had caused a warning (but no service interruptions) for me some time ago, and I determined they were legacy code that was not needed in my case, so I removed them. Good to see them gone now.

    But, is the expectation the that /etc/firewalld/services/cpanel.xml is reserved for your use and that any changes we make can/will be overridden by future updates? I have other ways to ADD ports, but what if I don't want some ports open that aren't needed and are in the generic default cpanel.xml file?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, we've also released the following resolutions for systems using cPanel version 62 as part of cPanel 62.0.29:

    Fixed case CPANEL-15762: Update firewalld rules automatically for CentOS 7.4.
    Fixed case CPANEL-15104: Make firewalld rules compatible with CloudLinux 7.4.


    Yes, the rules populated in /etc/firewalld/services/cpanel.xml could potentially update automatically in the future. You can remove this file if you'd like to ensure it isn't automatically updated through "/scripts/configure_firewall_for_cpanel" and instead use another firewall management utility to mange your rules (e.g. CSF).

    Thank you.
     
Loading...

Share This Page