Hi!
Tumbleweeb KDE without further repos (except Mozilla). I wanted to run iperf server, so I had to open port 5201 in firewall. Opening from Yast it says:
https://paste.opensuse.org/56595614
However, it opens and I could add the port 5201/TCP. Ran iperf. OK. Wanted to delete the port opening rule for 5201. Lookes good in Yast (YES, the interface is in zone “public”…):
https://paste.opensuse.org/26403807
However, even after restarting firewalld or rebooting, I still can access the iperf server.
Tried to delete the rule manually:
sudo firewall-cmd --permanent --remove-port=5201/tcp
Warning: NOT_ENABLED: 5201:tcp
The firewalld service gives me:
sudo systemctl status firewalld -l
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-09-15 13:23:12 CEST; 12min ago
Docs: man:firewalld(1)
Main PID: 960 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 48.6M
CGroup: /system.slice/firewalld.service
??960 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Sep 15 13:23:10 cele0918 systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 15 13:23:12 cele0918 systemd[1]: Started firewalld - dynamic firewall daemon.
Sep 15 13:23:13 cele0918 firewalld[960]: WARNING: ip6tables not usable, disabling IPv6 firewall.
Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Sep 15 13:23:14 cele0918 firewalld[960]: WARNING: True: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not ex>
Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Sep 15 13:23:15 cele0918 firewalld[960]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Sep 15 13:34:29 cele0918 firewalld[960]: WARNING: NOT_ENABLED: 5201:tcp
This is what software management shows for '“firewall”
https://paste.opensuse.org/65272830
Somethink is broken on this install…
tsu2
September 15, 2019, 3:48pm
2
I’d guess that you can’t delete a command which wasn’t created successfully in the first place.
So, the next thing to look for is why your app seemed to work without a port successfully opened for it
Please run the following commands and their results…
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
Assuming that the above command verifies your default zone is public, run the following
firewall-cmd --zone=public --list-services
firewall-cmd --zonepublic --list-ports
TSU
hi!
The access to port 5201 was blocked, before I opened it.
sudo firewall-cmd --list-all-zones
[sudo] password for root:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: ssh vnc-server
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
sudo firewall-cmd --get-default-zone
public
sudo firewall-cmd --zone=public --list-services
ssh vnc-server
sudo firewall-cmd --zone=public --list-ports
i.e. list of ports is empty, as it should be. But the access to this ported is open anyway. Did you see the error (first pic of initial post) when opening Firewall in YaST?
tsu2
September 15, 2019, 4:21pm
4
Saw your first pic, but that only displays an error.
What requested is the firewall configuration which is different.
To my eye, it looks like your firewall settings are configured correctly,
Verify your firewall is running
systemctl status firewalld
and take a closer look at how your service is configured…
The following might work
firewallcmd --service=ssh --get-ports
firewallcmd --service=vnc --get-ports
TSU
We had that already:
sudo systemctl status firewalld
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-09-15 13:23:12 CEST; 3h 21min ago
Docs: man:firewalld(1)
Main PID: 960 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 48.7M
CGroup: /system.slice/firewalld.service
??960 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Sep 15 13:23:10 cele0918 systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 15 13:23:12 cele0918 systemd[1]: Started firewalld - dynamic firewall daemon.
Sep 15 13:23:13 cele0918 firewalld[960]: WARNING: ip6tables not usable, disabling IPv6 firewall.
Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Sep 15 13:23:14 cele0918 firewalld[960]: WARNING: True: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not ex>
Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Sep 15 13:23:15 cele0918 firewalld[960]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Sep 15 13:34:29 cele0918 firewalld[960]: WARNING: NOT_ENABLED: 5201:tcp
The firewall-cmd comands did not work, but ports are fixed via the “services” menu of firewalld in YaST, so plain vanilla ports are used.
The firewall is not running correctly, this is what the error message in pic 1 tells me, however, I have no idea how to fix it.
PS:
sudo firewall-cmd --state
failed
But in YaST Service Manager the Firewalld Service is shown as “running” and “starting on boot”.
Log file:
https://paste.opensuse.org/48439803
OK, disabeling IPv6 on kernel boot line killed firewalld in past (found it on github #491 for firewalld. But that should be fixed in June 2019, as the bug is closed. Did the patch ever make it to opensuse?
How can firewall on productive systems have a version number starting with a ZERO? Un-be-lievable…
OMG: Has this only been fixed in the erig0 fork from firewalld?
Can anybody enlighten me? Is there an alternative firewall?
The fix is in version 0.7.1 and openSUSE TW is on 0.6.3, which was released OCT 2018. Any chance to get the latest firewalld into TW?
Tumbleweed is not the best choice for a “productive system” (assuming that you meant production system). That would be 15.x.
ANYthing you release with a firewall has to have a FUNCTIONAL firewall. It’s a pain…
For now, you could try the 0.71 version from the security:netfilter repo…
https://software.opensuse.org/package/firewalld
Many thanks for the suggestion, but the one-click you linked to is also 0.63. Any details on WHICH repo you mean?
I saw 2 “security” at http://download.opensuse.org/ … Or do I need /factory/security for TW?
tsu2
September 16, 2019, 6:45pm
13
Unless it’s mislabeled,
From the Software search,
Under Tumbleweed, click on “Show experimental packages”
From what appears, you should see a “security:netfilter” entry, the version should be 0.7.1, click on the “One-click” install" button to the right.
If you really can’t find it, the following should be the link
https://software.opensuse.org/ymp/security:netfilter/openSUSE_Tumbleweed/firewalld.ymp?base=openSUSE%3AFactory&query=firewalld
TSU
Navigate to the 'Show firewalld for other distributions" > and choose the appropriate package from the appropriate repo.
Many thanks! That worked like a charm… The repo has now been added, any problems to be expected for the next zypper dup? Any recommendations regarding priorities? btw. the same problem should be present for LEAP users with IPv6 disabled via kernel parameter.