centOS 7 firewallD remove direct rule
After upgrading the system from 6.5 to 7, I started learning implementing dynamic firewall, however, I made a mistake to add the following rule
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
which cause the machine drop all the output to outside,
I tried to use
firewall-cmd --permanent --direct --remove-rule ipv4 filter OUTPUT 1 -j DROP
to welcome everyone back.
However, after
firewall-cmd --reload
and
firewall-cmd --direct --get-all-rules
, I find this rule come back again automatically .
I even tried
firewall-cmd --complete-reload
but no effect.
What can I do now?
Solution 1:
Eventually I find the remove command only work at one-time due to the rules are recorded in the direct.xml
Thus, the solution is easy, edit the direct.xml and comment the corresponded lines or jsut delet them.
Solution 2:
After wrestling with a stubbornly persistent redirect rule I realized through testing the following:
-
iptablesrules DB is transient firewall-cmd --permanentrules DB persists through reboots, rewritingiptablesrules DB after rebootfirewall-cmd --permanent --directrules DB stored in/etc/firewalld/direct.xmlpersists despitefirewall-cmd [--permanent] --direct --remove-ruleunless DB file is removedfirewall-cmd [--permanent] --direct --query-rulewill lie about persistence of rules in/etc/firewalld/direct.xml
Solution 3:
just tried the same thing and my direct.xml was emptied after running
firewall-cmd --direct --remove-rule ...
without --permanent option.
After reload there are no direct rules which was removed.
With this option rules was back after reload.
Solution 4:
firewall-cmd [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain