Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Opening ports in the new YaST2 Firewall

  1. #1
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    818

    Default Opening ports in the new YaST2 Firewall

    It appears that in recent months or years, the YaST -> Security and Users -> Firewall menu has seen a remake. The new layout confuses me in how I can open ports for the firewall. Previously I clicked on Allowed Services, Advanced, and was able to add a TCP port there... now however there seems to be a new design based on zones.

    The issue is that I don't know which zone I should open a port in: My device appears in a zone called "default", but that's not an actual zone available in the drop-down list, thus it doesn't tell me when a rule actually gets used or not. Also how do I separate those ports in the field (with spaces, commas, etc)? Thanks for the clarification.
    openSUSE Tumbleweed x64, KDE Framework 5

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,996
    Blog Entries
    1

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by MirceaKitsune View Post
    It appears that in recent months or years, the YaST -> Security and Users -> Firewall menu has seen a remake.
    Not a remake, but more a move to using firewalld as default (there are alternatives available).

    The new layout confuses me in how I can open ports for the firewall. Previously I clicked on Allowed Services, Advanced, and was able to add a TCP port there... now however there seems to be a new design based on zones.
    Yes, firewalld provides broad categories called zones (each configured to provide a level of trust). For most of us using one (or two) interfaces, it makes sense to stay with the defaults, each configured to allow specific services. The zones can be configured as you see fit.

    The issue is that I don't know which zone I should open a port in: My device appears in a zone called "default", but that's not an actual zone available in the drop-down list, thus it doesn't tell me when a rule actually gets used or not.
    The connected network interface is likely in the public zone. You can confirm that with
    Code:
    firewall-cmd --get-default-zone
    If using multiplle interfaces and zones you can also do
    Code:
    firewall-cmd --get-active-zones
    More comprehensive information can be got using
    Code:
    firewall-config --list-all
    Also how do I separate those ports in the field (with spaces, commas, etc)? Thanks for the clarification.
    Many of the common services can be enabled (permitted) in the GUI (firewall-config) by checking the appropriate service in the list of services. For adding ports numerically, just add one at a time, or a range eg '3000-4000'

    The CLI command to allow port 5000 TCP would be
    Code:
    sudo firewall-cmd --zone=public --add-port=5000/tcp
    Hope that helps.

    More info
    https://firewalld.org/documentation/
    https://www.digitalocean.com/communi...ld-on-centos-7
    Last edited by deano_ferrari; 09-Nov-2018 at 17:07.
    openSUSE Leap 15.1; KDE Plasma 5

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,996
    Blog Entries
    1

    Default Re: Opening ports in the new YaST2 Firewall

    One more thing to be aware of - The running firewall can be examined and configured on the fly, but you must remember to apply it to the permanent configuration so that the changes are not lost...
    Code:
    sudo firewall-cmd --runtime-to-permanent
    Alternatively, make your changes in the 'permanent' mode and they'll be applied the next time firewalld is started.

    https://firewalld.org/documentation/...permanent.html
    openSUSE Leap 15.1; KDE Plasma 5

  4. #4
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    818

    Default Re: Opening ports in the new YaST2 Firewall

    Hmmm. From the looks of it, I might not need to open up numerical ports any more, just the services. I see sshd is already somewhere on that list by default, ssh is one reason why I needed to open a port.

    I also wish to add x11vnc however. But it doesn't seem to be in the services list from which I could add it. I imagine the only option there is to add the port manually? Or can I still whitelist the process?
    openSUSE Tumbleweed x64, KDE Framework 5

  5. #5
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,996
    Blog Entries
    1

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by MirceaKitsune View Post
    Hmmm. From the looks of it, I might not need to open up numerical ports any more, just the services. I see sshd is already somewhere on that list by default, ssh is one reason why I needed to open a port.
    Yes, all the commonly used services are already defined for you to select.

    I also wish to add x11vnc however. But it doesn't seem to be in the services list from which I could add it. I imagine the only option there is to add the port manually? Or can I still whitelist the process?
    Choose the 'vnc-server' service.
    openSUSE Leap 15.1; KDE Plasma 5

  6. #6
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    818

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by deano_ferrari View Post
    Yes, all the commonly used services are already defined for you to select.


    Choose the 'vnc-server' service.
    Oh... will it apply to any other VNC service? I use x11vnc specifically so I was expecting to see that name there. Will test how this works tomorrow, thanks.

    I wonder what my options are if I ever need to whitelist a custom process however. For instance I used to run an OpenSim (Second Life) server several years ago, which required special ports to be opened... in cases like those is it possible to define custom entries?
    openSUSE Tumbleweed x64, KDE Framework 5

  7. #7
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,996
    Blog Entries
    1

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by MirceaKitsune View Post
    Oh... will it apply to any other VNC service? I use x11vnc specifically so I was expecting to see that name there. Will test how this works tomorrow, thanks.
    Well, that's just one implementation using VNC, and typically using port 5900+N. Firewalld caters for a few additional ports - the VNC protocol normally uses port 59xx, where xx is the display number of the server. You could choose to just allow port 5900 I guess if only one active X-server display.

    https://en.wikipedia.org/wiki/Virtua...ting#Operation
    openSUSE Leap 15.1; KDE Plasma 5

  8. #8
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    818

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by deano_ferrari View Post
    Well, that's just one implementation using VNC, and typically using port 5900+N. Firewalld caters for a few additional ports - the VNC protocol normally uses port 59xx, where xx is the display number of the server. You could choose to just allow port 5900 I guess if only one active X-server display.

    https://en.wikipedia.org/wiki/Virtua...ting#Operation
    Oh... I customize my VNC port though. Sounds like I'll need to add the numbers directly.
    openSUSE Tumbleweed x64, KDE Framework 5

  9. #9
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,996
    Blog Entries
    1

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by MirceaKitsune View Post
    I wonder what my options are if I ever need to whitelist a custom process however. For instance I used to run an OpenSim (Second Life) server several years ago, which required special ports to be opened... in cases like those is it possible to define custom entries?
    I'm not familiar with OpenSim, but in general terms, if it requires particular port ranges then yes it can be configured as necessary. Linux firewalls are usually designed around firewall rules to allow or deny particular traffic by packet filtering, not controlling processes/applications as such.
    openSUSE Leap 15.1; KDE Plasma 5

  10. #10
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,996
    Blog Entries
    1

    Default Re: Opening ports in the new YaST2 Firewall

    Quote Originally Posted by MirceaKitsune View Post
    Oh... I customize my VNC port though. Sounds like I'll need to add the numbers directly.
    Yes, that's the easiest option, although it is possible to add a custom service if you prefer...
    https://firewalld.org/documentation/...a-service.html
    As you can see firewalld is very flexible.
    openSUSE Leap 15.1; KDE Plasma 5

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •