Home / server / Questions / 587624
In Process
David Ramirez
Asked: 2014-04-09 14:47:01 +0800 CST

Firewalld service taking too long to reload (Fedora 20)

  • 772

I'm doing the pilot for deploying Fedora 20, and despite having external firewall protection, regulations here say I need to have the individual firewalls on every host active.

Now comes that firewalld is the new king here, so I'm learning its ways.

Now I have a cleaned-up list of ports, after declaring a (non-public) default zone and some typical services, plus a specific service it seems to run fine.

However, when applying any change (--permanent mode), and reloading the firewall with:

# firewall-cmd --reload

it takes too much time, in the order of 10+ minutes to finish the command - which ends merrily with "success". The computer is basically unusable during all this time, as there is loss of connectivity.

But after that, it just runs as expected.

Logs are not helpful so far...

Starting/stopping the service works just fine, done within 1~2 seconds, what one could expect.

Is there anything I can be missing/omitting ? How could this annoying behavior be troubleshooted ?

Thanks

firewalld

1 Answers

  1. About troubleshooting, this explains how to enable debugging info in firewalld:

    https://lists.fedorahosted.org/pipermail/firewalld-users/2013-February/000049.html

    Maybe you could also try a:

    # firewall-cmd --complete-reload

    from firewall-cmd manpage:

    Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.

    If the --complete-reload turns out to be faster, could be in favor of your theory of the hanging connection.

    • 1