firewalld fails to start if a zone is assigned in both firewall-cmd and NetworkManager

Solution Verified - Updated -

Issue

  • firewalld fails to start if a zone is assigned in both firewall-cmd and NetworkManager
  • If a zone is assigned in both NeworkManager and firewalld then a firewall-cmd --reload causes firewalld to fail and not start.
# cat  /etc/firewalld/zones/heartbeat.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <interface name="ens6"/>
  <service name="high-availability"/>
</zone>

# nmcli con show eth0 |grep -i zone
connection.zone:                        public
GENERAL.ZONE:                           public
# nmcli con show ens6 |grep -i zone
connection.zone:                        heartbeat
GENERAL.ZONE:                           heartbeat

# firewall-cmd --state
running
# firewall-cmd --get-active-zones
heartbeat
  interfaces: ens6
public
  interfaces: eth0

# firewall-cmd --reload
Warning: ZONE_ALREADY_SET: 'ens6' already bound to 'heartbeat'
success

# firewall-cmd --state
not running
  • If the zone is removed from the zone configuration file, then firewalld starts:
# cat  /etc/firewalld/zones/heartbeat.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <service name="high-availability"/>
</zone>

# firewall-cmd --reload
success
# firewall-cmd --state
running

Environment

  • Red Hat Enterprise Linux 8.1
  • firewalld-0.7.0-5.el8.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In