firewalld fails to start if a zone is assigned in both firewall-cmd and NetworkManager

Solution Verified - Updated -

Issue

  • firewalld fails to start if a zone is assigned in both firewall-cmd and NetworkManager
  • If a zone is assigned in both NeworkManager and firewalld then a firewall-cmd --reload causes firewalld to fail and not start.
# cat  /etc/firewalld/zones/heartbeat.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <interface name="ens6"/>
  <service name="high-availability"/>
</zone>

# nmcli con show eth0 |grep -i zone
connection.zone:                        public
GENERAL.ZONE:                           public
# nmcli con show ens6 |grep -i zone
connection.zone:                        heartbeat
GENERAL.ZONE:                           heartbeat

# firewall-cmd --state
running
# firewall-cmd --get-active-zones
heartbeat
  interfaces: ens6
public
  interfaces: eth0

# firewall-cmd --reload
Warning: ZONE_ALREADY_SET: 'ens6' already bound to 'heartbeat'
success

# firewall-cmd --state
not running
  • If the interface is removed from the zone configuration file, then firewalld starts:
# cat  /etc/firewalld/zones/heartbeat.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <service name="high-availability"/>
</zone>

# firewall-cmd --reload
success
# firewall-cmd --state
running

Environment

  • Red Hat Enterprise Linux 8.1
  • firewalld-0.7.0-5.el8.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content