Cannot start firewall

Hello,

This PBX was upgraded a while ago from version 2 to version 3, but during the upgrade, firewall was not enabled, only intrusion detection was.

The PBX is now on the latest version, but we still cannot enable the firewall. When we try to enable it, we get the following error:

image

We also tried the below, it makes no difference:

[root@pbx1 ~]# vitalpbx apply-firewall
FirewallD is not running
Done

We also see MySQL spiking every minute:

image

How do we go about these issues?

Thanks

Certainly odd, the error is saying the unit file is masked, which is basically causing the unit server to be pointed to /dev/null. In normal cases, masking the unit file will be a bit above using disable as you wont even be able to start the service without unmasking the unit file first. Wonder what caused that.

Check the status directly as well to know what the system is reporting. systemctl status firewalld.service
What are the contents of the your firewalld.service file in /usr/lib/systemd/system.

Hi @hlev, thank you for responding.

[root@pbx1 ~]# systemctl status firewalld.service
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Aug 19 06:49:52 pbx1.domain.local systemd[1]: Cannot add dependency job for unit firewalld.service, ignoring: Unit is masked.
Warning: firewalld.service changed on disk. Run 'systemctl daemon-reload' to reload units.

Here’s the content of firewalld.service

[root@pbx1 ~]# cat /usr/lib/systemd/system/firewalld.service
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
Documentation=man:firewalld(1)

[Service]
EnvironmentFile=-/etc/sysconfig/firewalld
ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages
StandardOutput=null
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1
KillMode=mixed

[Install]
WantedBy=multi-user.target
Alias=dbus-org.fedoraproject.FirewallD1.service

Thank you

@PitzKey

Check the link below
https://www.thegeeksearch.com/how-to-unmask-a-masked-service-in-centos-rhel-7-and-8/

1 Like

Thanks, for some reason, it did not show any symlynk.

[root@pbx1 ~]# file /usr/lib/systemd/system/firewalld.service
/usr/lib/systemd/system/firewalld.service: ASCII text

I resolved it by doing the following:

[root@pbx1 ~]# systemctl list-unit-files | grep irewall
dbus-org.fedoraproject.FirewallD1.service     masked
firewalld.service                             masked

This confirmed that that are two services that are masked. Checking each individually, confirmed that they both rely on firewalld:

[root@pbx1 ~]# systemctl status -l firewalld.service
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Aug 19 06:49:52 pbx1.domain.local systemd[1]: Cannot add dependency job for unit firewalld.service, ignoring: Unit is masked.
Warning: firewalld.service changed on disk. Run 'systemctl daemon-reload' to reload units.

[root@pbx1 ~]# systemctl status -l dbus-org.fedoraproject.FirewallD1.service
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Aug 19 06:49:52 pbx1.domain.local systemd[1]: Cannot add dependency job for unit firewalld.service, ignoring: Unit is masked.

So I reloaded the deamon:

systemctl daemon-reload

Now it showed just this:

[root@pbx1 ~]# systemctl status -l firewalld.service
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Aug 19 06:49:52 pbx1.domain.local systemd[1]: Cannot add dependency job for unit firewalld.service, ignoring: Unit is masked.

So I ran:

systemctl unmask --now firewalld
systemctl start firewalld

And bingo!

[root@pbx1 ~]# systemctl status -l firewalld.service
Γ’β€” firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-08-24 03:53:31 EDT; 16s ago
     Docs: man:firewalld(1)
 Main PID: 19462 (firewalld)
   CGroup: /system.slice/firewalld.service
           Ò””Ò”€19462 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Aug 24 03:53:31 pbx1.domain.local systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 24 03:53:31 pbx1.domain.local systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 24 03:53:31 pbx1.domain.local firewalld[19462]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.