Can not open ftp port via firewalld

centos7 firewalld

I'm trying to open ftp port in the public zone and firewall-cmd exits with a very non-descriptive response. Command output is:

firewall-cmd --zone=public --add-service=ftp
Error: COMMAND_FAILED

OS: CentOS Linux release 7.3.1611 (Core)

Updating original question with more details.

journalctl output:

~ firewall-cmd --zone=public --add-service=ftp
Error: COMMAND_FAILED
~ journalctl -xf
Mar 06 00:46:42 hostname firewalld[3496]: ERROR: COMMAND_FAILED

debug output:

~ firewalld --nofork --debug=10
<...>
2017-03-06 00:49:57 DEBUG1: zone.addService('public', 'ftp', 0)
2017-03-06 00:49:57 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.execute(True)
2017-03-06 00:49:57 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.prepare(True, ...)
2017-03-06 00:49:57 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.prepare(True, ...)
2017-03-06 00:49:57 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.pre()
2017-03-06 00:49:57 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore /run/firewalld/temp.tptEtP: 89
       1: *filter
       2: -A IN_public_allow -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
       3: COMMIT
2017-03-06 00:49:57 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>: /usr/sbin/ip6tables-restore /run/firewalld/temp.CYsjiA: 89
       1: *filter
       2: -A IN_public_allow -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
       3: COMMIT
2017-03-06 00:49:57 DEBUG2: <class 'firewall.core.modules.modules'>: /sbin/modprobe nf_conntrack_ftp
2017-03-06 00:49:57 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore /run/firewalld/temp.1dBrUZ: 89
       1: *filter
       2: -D IN_public_allow -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
       3: COMMIT
2017-03-06 00:49:57 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>: /usr/sbin/ip6tables-restore /run/firewalld/temp.vbUyZC: 89
       1: *filter
       2: -D IN_public_allow -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
       3: COMMIT
2017-03-06 00:49:57 ERROR: COMMAND_FAILED

One more update: if I do:

~ iptables -A IN_public_allow -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT

ftp service is working. However I'd like to manage everything via firewalld. So I'm wondering if it is a firewalld glitch or error in configuration.


Same issue, but --add-port worked for me:

# firewall-cmd --zone=public --add-port=21/tcp

Related

Are ZFS snapshots really "free"?
Resolving addresses of the VM located in different regions : Google Cloud
Supermicro stuck on 91
Load balancing multiple NICs on single machine presenting a virtual IP
Why am I not receiving a response when the request is sent through a load balancer and the response is too big to fit into a single packet?
How can I restart or reset the K3s cluster pods
How can I uninstall Oracle Virtual Box for good? Virtual machine images still present after uninstall
How can I prevent multiple domains with wildcard DNS entries from hijacking each others sub-domains?
Opening CSV file in Excel corrupts telephone number column
How can Apps be still opened even after shutdown?
How to change the step of volume scroll in VLC?
how to run cron jobs on GMT not local time?