Enable Firewall Zone Forwarding on Rocky Linux 9
Overview
After migrating Swarm Component Server (SCS) to Rocky Linux 9 (RL9), outbound traffic may be blocked by default due to missing ingress/egress zone definitions in the firewalld configuration. This issue affects RL9 based SCS deployments and will result in broken replication, missing health reports, and reduced support visibility due to lack of phone-home reports.
Symptoms
Swarm outbound traffic is blocked.
Storage node replication may fail.
Health and status reports are not sent.
Call-home metrics may not be received by support systems.
Cause
By default, Rocky Linux 9 does not include ingress and egress zone forwarding rules in the firewalld configuration for SCS deployments.
Solution
Enable zone forwarding in firewalld to allow Swarm traffic to flow correctly between networks. To resolve the issue, follow the below steps:
Configure firewalld policies.
firewall-cmd --new-policy swarm-public --permanent firewall-cmd --reload firewall-cmd --policy swarm-public --add-ingress-zone=swarm_site --permanent firewall-cmd --policy swarm-public --add-egress-zone=public --permanent firewall-cmd --policy swarm-public --set-target=ACCEPT --permanent firewall-cmd --reloadThis sets up the correct ingress and egress zones and ensures that traffic can flow from the backend network to the public network.
After applying the above configuration, verify that the SCS can successfully generate a health report, which confirms outbound communication is functioning as expected.
Generate a Health Report for Verification. Use the following GET request to generate a health report locally from a Swarm node:
curl http://[nodeip]:90/health_report_buttonReplace
[nodeip]with the IP address of any Swarm node.If the command returns a success response, outbound communication is functioning correctly.
Alternatively, refer Manually Updating the Swarm Health Report documentation for detailed verification steps.
See Also
https://perifery.atlassian.net/wiki/x/AYANBgE