Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Firewalld manual and examples not what I expected.

  1. #1

    Default Firewalld manual and examples not what I expected.

    I am trying to get to grips with the firewall on Tumbleweed.

    Last time I tried configuring the firewall I was not using Tumbleweed. I remember the firewalld as described in the manual and gui manual. This was on an earlier openSUSE version (15.0 or earlier). Now I am on Tumbleweed and am trying to understand it so I can get minimserver working again and it all looks different. Please could somebody point me towards the correct idiots guide to get me started.
    Regards,
    Budgie2

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,115
    Blog Entries
    15

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by Budgie2 View Post
    I am trying to get to grips with the firewall on Tumbleweed.

    Last time I tried configuring the firewall I was not using Tumbleweed. I remember the firewalld as described in the manual and gui manual. This was on an earlier openSUSE version (15.0 or earlier). Now I am on Tumbleweed and am trying to understand it so I can get minimserver working again and it all looks different. Please could somebody point me towards the correct idiots guide to get me started.
    Regards,
    Budgie2
    Hi
    YaST and firewall config? If the package is packaged with a firewalld service, then it should appear in the list of applications to allow... or do you know which ports need to be open? Else turn off the firewall and from another computer nmap the system running minimserver to see what it's using.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,395
    Blog Entries
    2

    Default Re: Firewalld manual and examples not what I expected.

    Up until LEAP 42.3, you were probably using the simpler SuSEFW2.
    Since then, we've been using the more complex but also more capable firewalld.
    When I have a question about firewalld, I usually reach for the online documentation

    https://firewalld.org/documentation/

    If you have specific questions, go ahead and post...

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,115
    Blog Entries
    15

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by tsu2 View Post
    Up until LEAP 42.3, you were probably using the simpler SuSEFW2.
    Since then, we've been using the more complex but also more capable firewalld.
    When I have a question about firewalld, I usually reach for the online documentation

    https://firewalld.org/documentation/

    If you have specific questions, go ahead and post...

    TSU
    Hi
    Way to complicated I installed synergy for my virtual machines, went into YaST firewall, look in the list for home zone, add synergy to the home zone and done <shrug>
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,395
    Blog Entries
    2

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Way to complicated I installed synergy for my virtual machines, went into YaST firewall, look in the list for home zone, add synergy to the home zone and done <shrug>
    All depends on what your needs are.
    If the service you want to expose is pre-defined, then it's easy.
    Or at least, not terribly difficult to understand if you at least understand temporary runtime mode and how to make your settings persistent.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,115
    Blog Entries
    15

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by tsu2 View Post
    All depends on what your needs are.
    If the service you want to expose is pre-defined, then it's easy.
    Or at least, not terribly difficult to understand if you at least understand temporary runtime mode and how to make your settings persistent.

    TSU
    Hi
    If it's an openSUSE package from a development repo it is done (if not a bug report should be created)
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,395
    Blog Entries
    2

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by malcolmlewis View Post
    Hi
    If it's an openSUSE package from a development repo it is done (if not a bug report should be created)
    I hadn't looked at this new YaST module for awhile...
    With what is in an updated TW I see something new that replaces the very complicated firewall-config,

    Looks like it's an attempt to provide a very simple interface for firewall configuration.
    Problem for me is...
    It strips out all levels of complexity so you're left with only a very flat level of accessibility so it's now lacking in a serious way features which are common in all FW configurations... like...
    - Some way of looking at exactly what a service does or doesn't do. At least in the YaST module, all you can see is the name(label) of the service, no way to know what ports are opened or blocked.
    - No way to create a new service, only open ports. This will generally mean that the custom configuration you create will only be known by the ports you open and you might not remember later why and for what reason you opened those ports.

    The two "services" I specifically looked for to evaluate whether the firewall configuration "is sufficient" are two I feel are the most complex I've had to configure... AMANDA and SIP, plus the well known FTP PASV I assume is so standard it just has to be there. In all three instances, the current tool fails.

    There are AMANDA client and AMANDA kerberos client configurations, but no AMANDA server configuration. I guess someone thinks that no one will run AMANDA server on openSUSE (although it's in the OSS). AMANDA is very hard to configure because it requires configuring secondary ports and you may want to enable stateful inspection to dynamically open the secondary ports instead of leaving them open all the time.

    There is no entry for SIP. So I guess people are going to have to configure settings for their SIP softphones manually. SIP is a complex protocol that involves control, location and multimedia (audio and/or video), each likely handled differently on different ports so like AMANDA can be helpful if pre-configured.

    There is an entry for FTP, but as I described above, there is no hint whether the configuration supports Active (ports 21 and 20) or PASV (ports 21 and a defined range of secondary ports).

    The YaST module is a good idea and removes a tremendous amount of complexity from the firewall-config tool, but as it now exists looks like a lot of details are not addressed... Needs to be reviewed and debugged/improved at least to what is commonly found in a minimal FW tool... maybe the previous SuSEFW2 tool should be the standard the new tool should at least try to achieve(but of course incorporating new available features not exposed by the old tool).

    IMO,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,578
    Blog Entries
    1

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by tsu2 View Post
    I hadn't looked at this new YaST module for awhile...
    With what is in an updated TW I see something new that replaces the very complicated firewall-config,

    Looks like it's an attempt to provide a very simple interface for firewall configuration.
    Problem for me is...
    It strips out all levels of complexity so you're left with only a very flat level of accessibility so it's now lacking in a serious way features which are common in all FW configurations... like...
    - Some way of looking at exactly what a service does or doesn't do. At least in the YaST module, all you can see is the name(label) of the service, no way to know what ports are opened or blocked.
    - No way to create a new service, only open ports. This will generally mean that the custom configuration you create will only be known by the ports you open and you might not remember later why and for what reason you opened those ports.
    I agree with your assessment, but I see (=assume) the YaST module is work in progress, and for most competent users firewall-config would likely be considered the most effective graphical utility to use. IMHO, firewall-config tool is not difficult to use for "typical" use cases.
    openSUSE Leap 15.1; KDE Plasma 5

  9. #9

    Default Re: Firewalld manual and examples not what I expected.

    Quote Originally Posted by malcolmlewis View Post
    Hi
    YaST and firewall config? If the package is packaged with a firewalld service, then it should appear in the list of applications to allow... or do you know which ports need to be open? Else turn off the firewall and from another computer nmap the system running minimserver to see what it's using.
    Hi Malcolm,
    Been busy on other stuff but I liked your suggestion or rather the idea but I will need help understanding please. I can turn off the firewall on this computer which is the one I want to use eventually to access the application running on NAS.
    I have a laptop on which I can run nmap but seek your guidance on how to find the information I shall need. Will make a start with nmap and see how I get on.

  10. #10

    Default Re: Firewalld manual and examples not what I expected.

    Hi Malcolm here are the findings of my very simple scan. 224 is the address of the workstation and 130 is the address of the NAS.
    With firewall running I get:

    Code:
    alastair@AJBR-W530:~> nmap 192.168.169.224
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 18:18 BST
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 0.04 seconds
    And the NAS:-

    Code:
    alastair@AJBR-W530:~> nmap 192.168.169.130
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 18:19 BST
    Nmap scan report for 192.168.169.130
    Host is up (0.0069s latency).
    Not shown: 987 closed ports
    PORT      STATE SERVICE
    21/tcp    open  ftp
    22/tcp    open  ssh
    80/tcp    open  http
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    443/tcp   open  https
    445/tcp   open  microsoft-ds
    631/tcp   open  ipp
    873/tcp   open  rsync
    2049/tcp  open  nfs
    8080/tcp  open  http-proxy
    9000/tcp  open  cslistener
    30000/tcp open  ndmps
    
    Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
    alastair@AJBR-W530:~>
    With firewall off I get:-

    Code:
    alastair@AJBR-W530:~> nmap 192.168.169.224
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 18:21 BST
    Nmap scan report for 192.168.169.224
    Host is up (0.0063s latency).
    All 1000 scanned ports on 192.168.169.224 are closed
    
    Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
    alastair@AJBR-W530:~>
    I do not understand why this tells me all the ports are closed because with the FW inactive my application can see the NAS and works.

    I shall need a bit of help with the zones and interfaces here too as I am not sure which I should be trying to set.

    Grateful for your help when you have a moment.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •