[SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

Dantes · 2025-03-21 03:45:21

Hello ArchLinux, and hello everyone,

In Arch Linux, after executing sudo pacman -Syu, external networks are unable to connect to a specified port (e.g., a custom service port) via telnet, while the SSH port can be connected to normally. Even though the firewall is enabled and the specified port is open, there may still be other issues.

sudo systemctl status firewalld

Active: active (running)

I think this is firewalld's issue, but i don't know how to fix it.

Thanks.

Last edited by Dantes (2025-03-22 13:49:27)

seth · 2025-03-21 06:26:30

Do you have the nftables.service enabled?
https://wiki.archlinux.org/title/Nftabl … e_firewall
Disable that.

Dantes · 2025-03-21 08:55:07

seth wrote:

Do you have the nftables.service enabled?
https://wiki.archlinux.org/title/Nftabl … e_firewall
Disable that.

disable, but it not works.

cryptearth · 2025-03-21 11:21:08

what gives

sudo firewall-cmd --list-all

seth · 2025-03-21 12:08:56

Just disabling that service won't flush the netfilter tables, if it was enabled it will caused the perceived behavior.
Either remove the undesired table manually or reboot.

Dantes · 2025-03-21 12:10:56

cryptearth wrote:

what gives

sudo firewall-cmd --list-all

some public ports, like this : 8080, 80, 443, 22, 1234, but only 22 can telnet, the others ports can't , the always respone me :

here is telnet respone:

telnet: Unable to connect to remote host: No route to host

here is curl respone:

curl: (28) Failed to connect to x.x.x.x port 8080 after 7128 ms: Could not connect to server

Last edited by Dantes (2025-03-21 12:11:20)

Dantes · 2025-03-21 13:33:26

seth wrote:

Just disabling that service won't flush the netfilter tables, if it was enabled it will caused the perceived behavior.
Either remove the undesired table manually or reboot.

Yes, I did it as you said and rebooted Arch Linux, but the issue is still not resolved. Maybe I should try it a second time.

cryptearth · 2025-03-21 14:06:53

Dantes wrote:

cryptearth wrote:
what gives
sudo firewall-cmd --list-all
some public ports, like this : 8080, 80, 443, 22, 1234

https://bbs.archlinux.org/viewtopic.php?id=57855

Dantes · 2025-03-21 14:28:08

cryptearth wrote:

Dantes wrote:
cryptearth wrote:
what gives
sudo firewall-cmd --list-all
some public ports, like this : 8080, 80, 443, 22, 1234
https://bbs.archlinux.org/viewtopic.php?id=57855

Thanks, If I knew the error log , I can try to fixed it but I didn't know that. Maybe I should find it out.

seth · 2025-03-21 15:08:58

Please avoid bloating the thread with pointless full quotes.

Please post the output of

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

and then

nft list ruleset

Dantes · 2025-03-21 15:55:56

Ok, Thanks seth, Until now, after disable, and rebooted, the ssh port 22 can't reach. I lost the server, ping the IP is Invalid, at the progress, I just reinstall firewalld , and nftables, and disable nftables and rebooted. Just wait a minute. I use the vps sever. and I can use the web console to command archlinux.

Dantes · 2025-03-21 16:17:14

Hi , seth and everyone, maybe I should open a ticket for help from the vps office. I can't ping the IP, It's so strange. If there are still issues, I'll have to trouble everyone again. Thanks a lot.

cryptearth · 2025-03-21 19:18:16

I'd like to raise the suspicion you seem to lack fundamental base knowledge how to properly admin a public server
setting up a firewall right after install is a good idea - but fsiling to do so properly and locking yoursrlf out to me somehow looks like you failed to follow simple guides aka the wiki
also: why do you keep refering to telnet?
also also: my link was meant to say: "your reply is useless - please provide the actual output of the comnand given" - like this:

cryptearth@lim:~> sudo firewall-cmd --list-all
[sudo] Passwort für root:
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: http https
  ports: 2433/tcp 7777/tcp 7777/udp 25/tcp 8143/tcp 8587/tcp 27777/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" forward-port port="25" protocol="tcp" to-port="8025"
        rule family="ipv6" forward-port port="25" protocol="tcp" to-port="8025"
cryptearth@lim:~>

as for simple VPS usually the control panel should offer some nuke options to kill and reset the container in such cases
I'd like to recommend managed services - and a lot of studying about system administration

Dantes · 2025-03-22 08:01:37

here is the info:

sudo firewall-cmd --list-all

public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: dhcpv6-client ssh
  ports: 22/tcp 443/tcp 80/tcp 8080/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks:

I have try to create a new one, still the same issues. after rebooted , I must excute "sudo systemctl restart NetworkManager" so that the ip and ssh port 22 can telnet.

use a simple test http golang server 

localhost : 
curl http://localhost:8080  ,  
it works:  Hello, this is a test response from the Go HTTP server!

out of the server
curl http://ip:8080 ,  
here is the info
curl: (28) Failed to connect to x.x.x.x port 8080 after 7087 ms: Could not connect to server

Dantes · 2025-03-22 08:02:54

here is :

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

dbus-org.fedoraproject.FirewallD1.service | system
dbus-org.freedesktop.network1.service    | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
default.target                           | system
docker.service                           | multi-user.target.wants
fail2ban.service                         | multi-user.target.wants
firewalld.service                        | multi-user.target.wants
getty@tty1.service                       | getty.target.wants
haveged.service                          | sysinit.target.wants
mariadb.service                          | multi-user.target.wants
mysql.service                            | multi-user.target.wants
nftables.service                         | multi-user.target.wants
openresty.service                        | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
php-fpm.service                          | multi-user.target.wants
remote-fs.target                         | multi-user.target.wants
sshd.service                             | multi-user.target.wants
systemd-networkd.service                 | multi-user.target.wants
systemd-networkd.socket                  | sockets.target.wants
systemd-networkd-wait-online.service     | network-online.target.wants
systemd-network-generator.service        | sysinit.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
systemd-userdbd.socket                   | sockets.target.wants

Dantes · 2025-03-22 08:03:55

here is :

nft list ruleset

netlink: Error: cache initialization failed: Invalid argument

this issue i will fix it.

Last edited by Dantes (2025-03-22 08:09:41)

seth · 2025-03-22 08:14:02

Disable nftables.service and reboot…

netlink: Error: cache initialization failed: Invalid argument

wtf? If that remains, please post your complete system journal for the boot:

sudo journalctl -b | curl -F 'file=@-' 0x0.st

Dantes · 2025-03-22 09:19:06

Hi, I know the issue,

Finally, I found the root of the problem. It turns out that a new VPS was installed with another firewall, ufw, by default.

sudo systemctl status ufw

Active: active (exited)

after stop it , telnet, curl test is ok.

Thanks。

Last edited by Dantes (2025-03-22 09:20:41)

Dantes · 2025-03-22 09:25:36

seth wrote:

Disable nftables.service and reboot…
netlink: Error: cache initialization failed: Invalid argument
wtf? If that remains, please post your complete system journal for the boot:
sudo journalctl -b | curl -F 'file=@-' 0x0.st

I have fixed it, thanks.

seth · 2025-03-22 11:52:34

ufw isn't listed in #15?
Anyway, please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Dantes · 2025-03-22 13:47:48

not in the list. ok, I will mark it , thanks your remind.

Arch Linux

#1 2025-03-21 03:45:21

[SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#2 2025-03-21 06:26:30

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#3 2025-03-21 08:55:07

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#4 2025-03-21 11:21:08

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#5 2025-03-21 12:08:56

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#6 2025-03-21 12:10:56

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#7 2025-03-21 13:33:26

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#8 2025-03-21 14:06:53

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#9 2025-03-21 14:28:08

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#10 2025-03-21 15:08:58

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#11 2025-03-21 15:55:56

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#12 2025-03-21 16:17:14

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#13 2025-03-21 19:18:16

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#14 2025-03-22 08:01:37

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#15 2025-03-22 08:02:54

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#16 2025-03-22 08:03:55

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#17 2025-03-22 08:14:02

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#18 2025-03-22 09:19:06

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#19 2025-03-22 09:25:36

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#20 2025-03-22 11:52:34

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

#21 2025-03-22 13:47:48

Re: [SOLVED] After "sudo pacman -Syu", The network in firewalld is not ok

Board footer