firewall FAILS under CENTOS 7.7 on Container/Storage VPS

sheep

The firewalld 0.6.3 that is included in the current CENTOS 7.7 does not work at all under OpenVZ-based VPSes.
Depending on your setup this may be a significant security risk as it leaves all open ports of your server exposed.
It may also cause fail2ban to fail.

The previous firewalld 0.5.3 that was included in CENTOS 7.6 worked as expected.

NOTE that KVM VPSes are unaffected.

The update to CENTOS 7.7 occured at the end of September 2019 if you ran "yum -y update" since then.

On affected systems systemctl status firewalld shows these errors:

firewalld[123]: WARNING: ipset not usable, disabling ipset usage in firewall.
firewalld[123]: ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_conntrack'
                                           modprobe: ERROR: could not insert 'nf_conntrack': Function not implemented
                                           modprobe: ERROR: Error running install command for nf_conntrack...
firewalld[123]: ERROR: Raising SystemExit in run_server


iptables -S only shows default rules.

The problem was fixed in firewalld 0.8.0 but this has not been picked up by CENTOS yet.

A quick FIX is to revert back to the previous firewalld:

yum -y install yum-versionlock
wget http://vault.centos.org/7.6.1810/os/x86_64/Packages/firewalld-0.5.3-5.el7.noarch.rpm
wget http://vault.centos.org/7.6.1810/os/x86_64/Packages/firewalld-filesystem-0.5.3-5.el7.noarch.rpm
wget http://vault.centos.org/7.6.1810/os/x86_64/Packages/python-firewall-0.5.3-5.el7.noarch.rpm
yum downgrade firewalld-0.5.3-5.el7.noarch.rpm firewalld-filesystem-0.5.3-5.el7.noarch.rpm python-firewall-0.5.3-5.el7.noarch.rpm
yum versionlock firewalld firewalld-filesystem python-firewall


This locks the older version so they are not affected by updates.


yum versionlock list shows you the current versions. You should unlock the packages when firewalld 0.8.0 is available or a patch has been applied that addresses the issue.

Or check for updates on:
https://git.centos.org/rpms/firewalld/commits/c7

The relevant changes are:
https://github.com/firewalld/firewalld/commit/88e76ddfed6fe348975bfea9002da0e4627c6e25

(Just applying these changes produced other errors, so sticking with the older version seemed easier for now.)

A detailed discussion of the problem and solution can be found at:

https://github.com/firewalld/firewalld/issues/519

William

Thank you @sheep for the detailed information and sharing the solution with our community. Hopefully, CentOS will manage to release a fixed firewalld version soon.