Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Firewalld is not rujnning cleanly - Access without rule defined (any more)

  1. #1

    Default Firewalld is not rujnning cleanly - Access without rule defined (any more)

    Hi!

    Tumbleweeb KDE without further repos (except Mozilla). I wanted to run iperf server, so I had to open port 5201 in firewall. Opening from Yast it says:

    https://paste.opensuse.org/56595614

    However, it opens and I could add the port 5201/TCP. Ran iperf. OK. Wanted to delete the port opening rule for 5201. Lookes good in Yast (YES, the interface is in zone "public"...):

    https://paste.opensuse.org/26403807

    However, even after restarting firewalld or rebooting, I still can access the iperf server.

    Tried to delete the rule manually:

    Code:
    sudo firewall-cmd --permanent --remove-port=5201/tcp
    Warning: NOT_ENABLED: 5201:tcp
    The firewalld service gives me:

    Code:
    sudo systemctl status firewalld -l
    ? firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
       Active: active (running) since Sun 2019-09-15 13:23:12 CEST; 12min ago
         Docs: man:firewalld(1)
     Main PID: 960 (firewalld)
        Tasks: 2 (limit: 4915)
       Memory: 48.6M
       CGroup: /system.slice/firewalld.service
               ??960 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    
    Sep 15 13:23:10 cele0918 systemd[1]: Starting firewalld - dynamic firewall daemon...
    Sep 15 13:23:12 cele0918 systemd[1]: Started firewalld - dynamic firewall daemon.
    Sep 15 13:23:13 cele0918 firewalld[960]: WARNING: ip6tables not usable, disabling IPv6 firewall.
    Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Sep 15 13:23:14 cele0918 firewalld[960]: WARNING: True: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not ex>
    Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Sep 15 13:23:15 cele0918 firewalld[960]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Sep 15 13:34:29 cele0918 firewalld[960]: WARNING: NOT_ENABLED: 5201:tcp
    This is what software management shows for '"firewall"

    https://paste.opensuse.org/65272830

    Somethink is broken on this install...
    Kind regards

    raspu

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,262
    Blog Entries
    2

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    I'd guess that you can't delete a command which wasn't created successfully in the first place.
    So, the next thing to look for is why your app seemed to work without a port successfully opened for it

    Please run the following commands and their results...

    Code:
    firewall-cmd --list-all-zones
    firewall-cmd --get-default-zone
    Assuming that the above command verifies your default zone is public, run the following
    Code:
    firewall-cmd --zone=public --list-services
    firewall-cmd --zonepublic --list-ports
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    hi!

    The access to port 5201 was blocked, before I opened it.

    Code:
    sudo firewall-cmd --list-all-zones
    [sudo] password for root: 
    block
      target: %%REJECT%%
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: 
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    dmz
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    drop
      target: DROP
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: 
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    external
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: ssh
      ports: 
      protocols: 
      masquerade: yes
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    home
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: dhcpv6-client mdns samba-client ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    internal
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: dhcpv6-client mdns samba-client ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp1s0
      sources: 
      services: ssh vnc-server
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    trusted
      target: ACCEPT
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: 
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    work
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: dhcpv6-client ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    Code:
    sudo firewall-cmd --get-default-zone
    public
    Code:
    sudo firewall-cmd --zone=public --list-services
    ssh vnc-server
    Code:
    sudo firewall-cmd --zone=public --list-ports
    i.e. list of ports is empty, as it should be. But the access to this ported is open anyway. Did you see the error (first pic of initial post) when opening Firewall in YaST?
    Kind regards

    raspu

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,262
    Blog Entries
    2

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    Saw your first pic, but that only displays an error.
    What requested is the firewall configuration which is different.

    To my eye, it looks like your firewall settings are configured correctly,
    Verify your firewall is running
    Code:
    systemctl status firewalld
    and take a closer look at how your service is configured...
    The following might work
    Code:
    firewallcmd --service=ssh --get-ports
    firewallcmd --service=vnc --get-ports
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    We had that already:

    Code:
    sudo systemctl status firewalld
    ? firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
       Active: active (running) since Sun 2019-09-15 13:23:12 CEST; 3h 21min ago
         Docs: man:firewalld(1)
     Main PID: 960 (firewalld)
        Tasks: 2 (limit: 4915)
       Memory: 48.7M
       CGroup: /system.slice/firewalld.service
               ??960 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    
    Sep 15 13:23:10 cele0918 systemd[1]: Starting firewalld - dynamic firewall daemon...
    Sep 15 13:23:12 cele0918 systemd[1]: Started firewalld - dynamic firewall daemon.
    Sep 15 13:23:13 cele0918 firewalld[960]: WARNING: ip6tables not usable, disabling IPv6 firewall.
    Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Sep 15 13:23:14 cele0918 firewalld[960]: WARNING: True: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not ex>
    Sep 15 13:23:14 cele0918 firewalld[960]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Sep 15 13:23:15 cele0918 firewalld[960]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Sep 15 13:34:29 cele0918 firewalld[960]: WARNING: NOT_ENABLED: 5201:tcp
    The firewall-cmd comands did not work, but ports are fixed via the "services" menu of firewalld in YaST, so plain vanilla ports are used.

    The firewall is not running correctly, this is what the error message in pic 1 tells me, however, I have no idea how to fix it.
    Kind regards

    raspu

  6. #6

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    PS:

    Code:
    sudo firewall-cmd --state
    failed
    But in YaST Service Manager the Firewalld Service is shown as "running" and "starting on boot".

    Log file:

    https://paste.opensuse.org/48439803
    Kind regards

    raspu

  7. #7

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    OK, disabeling IPv6 on kernel boot line killed firewalld in past (found it on github #491 for firewalld. But that should be fixed in June 2019, as the bug is closed. Did the patch ever make it to opensuse?

    How can firewall on productive systems have a version number starting with a ZERO? Un-be-lievable....

    OMG: Has this only been fixed in the erig0 fork from firewalld?

    Can anybody enlighten me? Is there an alternative firewall?
    Kind regards

    raspu

  8. #8

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    The fix is in version 0.7.1 and openSUSE TW is on 0.6.3, which was released OCT 2018. Any chance to get the latest firewalld into TW?
    Kind regards

    raspu

  9. #9
    Join Date
    Jun 2008
    Location
    Belleville, Ontario, Canada
    Posts
    445

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    Quote Originally Posted by suse_rasputin View Post

    How can firewall on productive systems
    Tumbleweed is not the best choice for a "productive system" (assuming that you meant production system). That would be 15.x.
    "Making rich people richer doesn't make the rest of us richer." Ha-Joon Chang
    openSUSE 15.1 4.12.14-lp151.28.16-default x64

  10. #10

    Default Re: Firewalld is not rujnning cleanly - Access without rule defined (any more)

    ANYthing you release with a firewall has to have a FUNCTIONAL firewall. It's a pain...
    Kind regards

    raspu

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •