firewalld update causes all connections to be refused

[PeteS]

Hello,

firewalld's cPanel zone file was reset after the recent cPanel update (What the heck, cPAnel! ) Since use a different port than 22 I couldn't SSH in! This took longer to deal with than the httpd issue...

 

[PeteS]

I'm just posting this as an FYI for anyone else having the issue. (My data center reported others with the same issue after this update.

Also: CentOS 7.3

 

[cPanelMichael]

Hello,

There are currently two separate issues relevant to this thread.

1. We recently published a resolution to address an issue where updating the firewalld package through YUM can block access to services on systems using version 7.4 of CentOS or CloudLinux.

For systems using cPanel version 64 and CentOS 7.4, this is fixed as of 64.0.39 with the following case:

Fixed case CPANEL-15761: Update firewalld rules automatically for CentOS 7.4.

For systems using cPanel version 64 and CloudLinux 7.4, this is fixed as of 64.0.38 with the following case:

Fixed case CPANEL-15104: Make firewalld rules compatible with CloudLinux 7.4.

For systems using cPanel version 66 and CentOS 7.4, this is fixed as of 66.0.19 with the following case:

Fixed case CPANEL-15545: Update firewalld rules automatically for CentOS 7.4.

For systems using cPanel version 66 and CloudLinux 7.4, this is fixed as of 66.0.15 with the following case:

Fixed case CPANEL-15104: Make firewalld rules compatible with CloudLinux 7.4.

If you are using earlier versions of cPanel and are unable to update to a newer version at this time, then a temporary workaround is to remove the following lines from the /etc/firewalld/services/cpanel.xml file:

<module name="iptable_filter"/>
<module name="ip6table_filter"/>

Once you remove these lines and save the file, run the following command:

systemctl restart firewalld

Note that running the "/usr/local/cpanel/scripts/configure_firewall_for_cpanel" command will reinsert those lines, so the better solution going forward is to update cPanel to a version that includes the published resolutions.

2. Additionally, internal case CPANEL-15828 is now open to track reports of this happening on versions of cPanel that already include one the resolutions referenced above. The following command is available as a temporary workaround for this particular issue:

/usr/local/cpanel/scripts/configure_firewall_for_cpanel

I'll monitor internal case CPANEL-15828 and update this thread with more information as it becomes available.

To update, the second issue was not reproducible. The issue reported here looks to relate to the cases referenced above.

Thank you.

 

[tvirtualw]

Same issue here. But WHM wasn't updated (still on WHM 64.0 (build 33)).
It seems it happened after CentOS 7.3 system updates.
When I stop the firewalld service, I can access services again.
Please advise if there is any workaround besides stopping firewalld.

Thanks!

 

[cPanelMichael]

Same issue here. But WHM wasn't updated (still on WHM 64.0 (build 33)).

Hi @tvirtualw,

I updated my previous response with some additional information about this issue. Let me know if updating to a newer version of cPanel 64 addresses the issue (64.0.39 is available on the Stable build tier).

Thank you.

 

[tvirtualw]

Hi @tvirtualw,

I updated my previous response with some additional information about this issue. Let me know if updating to a newer version of cPanel 64 addresses the issue (64.0.39 is available on the Stable build tier).

Thank you.

I've updated to 64.0.39 and rebooted the server. Services were unreachable after reboot due to the firewalld issue.
I then ran the configure_firewall_for_cpanel script which removed the lines from cpanel.xml. Now it's working.
I had the firewalld service stopped before updating WHM. It seems the configure script wants firewalld running to do it's magic. This might have been the reason why the fix was not applied automatically and I had to run it manually.

 

[cPanelMichael]

I had the firewalld service stopped before updating WHM. It seems the configure script wants firewalld running to do it's magic. This might have been the reason why the fix was not applied automatically and I had to run it manually.

That's correct. The following script is utilized during the installation and during updates to populate the correct rules in the /etc/firewalld/services/cpanel.xml file:

/scripts/configure_firewall_for_cpanel

If "firewalld" is not running, it will not populate those rules and instead the following text is output:

#  /scripts/configure_firewall_for_cpanel
The firewalld service is currently inactive. To enable and start the firewalld service before you configure it, run the following commands: systemctl enable firewalld && systemctl start firewalld

If you prefer to not use firewalld on your system, remember to disable it at system startup as well:

systemctl disable firewalld.service

Otherwise, it will start back up when your system boots and won't receive the updated rules until the next cPanel update or until manually running the "/scripts/configure_firewall_for_cpanel" command.

Thank you.

 

[PeteS]

Dear mod: if you hack my post into two it would be helpful to note that with a link. At first I thought you just grossly edited my post here without comment, until I stumbled on the other post you created for me. Just a suggestion...

Re: this issue

These lines,

<module name="iptable_filter"/>
<module name="ip6table_filter"/>

had caused a warning (but no service interruptions) for me some time ago, and I determined they were legacy code that was not needed in my case, so I removed them. Good to see them gone now.

But, is the expectation the that /etc/firewalld/services/cpanel.xml is reserved for your use and that any changes we make can/will be overridden by future updates? I have other ways to ADD ports, but what if I don't want some ports open that aren't needed and are in the generic default cpanel.xml file?

 

[cPanelMichael]

Hello,

To update, we've also released the following resolutions for systems using cPanel version 62 as part of cPanel 62.0.29:

Fixed case CPANEL-15762: Update firewalld rules automatically for CentOS 7.4.
Fixed case CPANEL-15104: Make firewalld rules compatible with CloudLinux 7.4.

But, is the expectation the that /etc/firewalld/services/cpanel.xml is reserved for your use and that any changes we make can/will be overridden by future updates? I have other ways to ADD ports, but what if I don't want some ports open that aren't needed and are in the generic default cpanel.xml file?

Yes, the rules populated in /etc/firewalld/services/cpanel.xml could potentially update automatically in the future. You can remove this file if you'd like to ensure it isn't automatically updated through "/scripts/configure_firewall_for_cpanel" and instead use another firewall management utility to mange your rules (e.g. CSF).

Thank you.