📖 ~1 min read
Table of contents
Symptom & Impact
Services become unreachable because the interface ends up in the `public` zone with default-deny rules.
Environment & Reproduction
Occurs on SLES 15 after migrating from SuSEfirewall2 or after wicked changes interface names.
Root Cause Analysis
Interface-to-zone binding is not persisted in `/etc/firewalld/zones/*.xml` or NM connection.
Quick Triage
Check current binding with `firewall-cmd –get-active-zones`.
Step-by-Step Diagnosis
Examine `/etc/firewalld/zones/` and the NetworkManager keyfile for ZONE assignments.
Solution – Primary Fix
Move the interface to the correct zone with `firewall-cmd –zone=internal –change-interface=eth0 –permanent` and reload.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Set the zone via NetworkManager connection profile to survive reboots.
Verification & Acceptance Criteria
Expected services answer on the correct interface after `firewall-cmd –reload`.
Rollback Plan
Reassign interface to `public` if the change accidentally exposes new ports.
Prevention & Hardening
Manage firewalld policy via Salt or AutoYaST and audit `–list-all-zones` regularly.
Related Errors & Cross-Refs
Pairs with `WARNING: ZONE_CONFLICT` and dropped packets in nftables logs.
Related tutorial: View the step-by-step tutorial for sles-15.
View all sles-15 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
SUSE firewalld migration and zone administration documentation.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
