On 2/1/19 8:49 AM, Laine Stump wrote:
On 2/1/19 8:28 AM, Eric Garver wrote:
> On Thu, Jan 31, 2019 at 10:10:43PM -0500, Laine Stump wrote:
>> On 1/31/19 8:24 PM, Laine Stump wrote:
>>> Changes from V1:
>>> [...]
>>> * make the <reject/> rule's priority 32767 instead of 127.
>>> [...]
>>> +
>>> +<rule priority='32767'>
>>> + <reject/>
>>> +</rule>
>>
>> I found out after sending this that when I make the priority of the
>> reject
>> rule 32767 instead of 127, it's apparently ignored (in my example, I
>> was
>> able to ssh to port 222 of the host even though the zone doesn't allow
>> that).
>>
>>
>> Eric, any idea why this might be happening?
> What build are you testing against? At one point the limit was 127, but
> I increased it before pushing it upstream. You can check the firewalld
> logs - there may be an error reporting the above priority is out of
> range.
>
Ah, maybe you haven't backported that change to RHEL? I was testing on
my RHEL8 beta system. If that's the case, then either we need that
change backported to RHEL too, or I need to change the priority back
to 127.
Okay, Eric and I figured out thie problem was that my test machine was
running an early scratch build of the firewalld package that had the
limit for priority at 127, but also had been given a fake version that
was *higher* than the proper build in the repo, so yum update wasn't
grabbing it. Now that my firewalld package is up to date, it works properly!