Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Routing mystery/misunderstanding

  1. #11
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,489

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    Yast2 - services manager says:
    Code:
    * firewalld.service - firewalld - dynamic firewall daemon
         Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
         Active: active (running) since Fri 2021-09-17 04:38:40 EEST; 5h 51min ago
           Docs: man:firewalld(1)
       Main PID: 1154 (firewalld)
          Tasks: 2 (limit: 4915)
         CGroup: /system.slice/firewalld.service
                 `-1154 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    From the above I guess it is active (if Yast is to be trusted).
    Well, YaST only copied the output of
    Code:
    systemctl status firewalld.service
    Thus is is innocent whatever you see
    Henk van Velden

  2. #12
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    Kind of what I guessed. So, this, at least, is correct.

  3. #13
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    About the files mentioned in sysctl.conf

    /boot/sysctl.conf-<kernelversion> contains nothing I understand has anything to do with network (as one might expect)
    /lib/sysctl.d/ doesn't exist
    /usr/lib/sysctl.d/ - - HA!
    - 51-network.conf:
    Code:
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv6.conf.all.accept_redirects = 0
    net.ipv6.conf.default.accept_redirects = 0
    All zero, nothing accepted, so looks good(?)
    But:
    - 50-default.conf
    Code:
    #
    # Distribution defaults.
    # Use /etc/sysctl.conf to override.
    #
    # Disable response to broadcast pings to avoid smurf attacks.
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    
    
    # enable route verification on all interfaces
    net.ipv4.conf.all.rp_filter = 2
    
    
    # avoid deleting secondary IPs on deleting the primary IP
    net.ipv4.conf.default.promote_secondaries = 1
    net.ipv4.conf.all.promote_secondaries = 1
    
    
    # disable IPv6 completely
    #net.ipv6.conf.all.disable_ipv6 = 1
    
    
    # enable IPv6 forwarding
    #net.ipv6.conf.all.forwarding = 1
    
    
    # enable IPv6 privacy but do not use the temporary
    # addresses for outgoing connections by default
    # (bsc#678066,bsc#752842,bsc#988023,bsc#990838)
    net.ipv6.conf.default.use_tempaddr = 1
    
    
    # increase the number of possible inotify(7) watches
    fs.inotify.max_user_watches = 65536
    
    
    # Magic SysRq Keys enable some control over the system even if it
    # crashes (e.g. during kernel debugging).
    #
    #   0 - disable sysrq completely
    #   1 - enable all functions of sysrq
    #  >1 - bitmask of allowed sysrq functions:
    #          2 - enable control of console logging level
    #          4 - enable control of keyboard (SAK, unraw)
    #          8 - enable debugging dumps of processes etc.
    #         16 - enable sync command
    #         32 - enable remount read-only
    #         64 - enable signalling of processes (term, kill, oom-kill)
    #        128 - allow reboot/poweroff
    #        256 - allow nicing of all RT tasks
    #
    # For further information see /usr/src/linux/Documentation/sysrq.txt
    # default 184 = 128+32+16+8
    kernel.sysrq = 184
    
    
    # enable hard- and symlink protection (bnc#821585)
    fs.protected_hardlinks = 1
    fs.protected_symlinks = 1
    
    
    # restrict printed kernel ptrs (bnc#833774)
    kernel.kptr_restrict = 1
    Quite obviously (or maybe) related to the problem, but I don't actually know what to do with this.
    Write overrites to /etc/sysctl.conf, yes, but what exactly?
    Maybe uncomment here the line "net.ipv6.conf.all.disable_ipv6 = 1", to get rid of IPv6 completely (although that's not causing my routing problem)?
    The lines concerning IPv4 don't quite "open" to me.

    Anyway, digging further...
    /usr/local/lib/ - empty
    /etc/sysctl.d/ - as mentioned, only the Yast file
    /run/sysctl.d/ - doesn't exist

  4. #14
    Join Date
    Sep 2012
    Posts
    6,972

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    About /etc/sysctl.d:
    The directory contains a file "70-yast.conf", with content:
    Code:
    net.ipv4.ip_forward = 0
    net.ipv6.conf.all.forwarding = 0
    net.ipv6.conf.all.disable_ipv6 = 1
    -which looks to me like what I wanted to get (no forwarding, no IPv6)
    This file is read once on system boot. As I already said, anyone and any program can at any time change any sysctl value.
    Code:
    * firewalld.service - firewalld - dynamic firewall daemon
         Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
         Active: active (running) since Fri 2021-09-17 04:38:40 EEST; 5h 51min ago
    Please show output of
    Code:
    firewall-cmd --get-default-zone
    firewall-cmd --get-active-zones
    firewall-cmd --list-all-zones

  5. #15
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    About 70-yast.conf:
    So this is not necessarily what was read at system boot? The file time stamp says it was last modified yesterday, about the time I last fiddled with these settings with Yast, though. Shouldn't it show if the file was modified after that, i.e. after booting this morning?



    Quote Originally Posted by arvidjaar View Post
    This file is read once on system boot. As I already said, anyone and any program can at any time change any sysctl value.

    Please show output of[
    code]firewall-cmd --get-default-zone
    public

    firewall-cmd --get-active-zones
    docker
    interfaces: docker0
    external
    interfaces: eth1_WW
    internal
    interfaces: eth0_LAN

    firewall-cmd --list-all-zones
    block
    target: %%REJECT%%
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    dmz
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    docker (active)
    target: ACCEPT
    icmp-block-inversion: no
    interfaces: docker0
    sources:
    services:
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    drop
    target: DROP
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    external (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1_WW
    sources:
    services: ssh
    ports:
    protocols:
    forward: no
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    home
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client mdns samba-client ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    internal (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth0_LAN
    sources:
    services: dhcpv6-client mdns nfs nfs3 rpc-bind samba samba-client samba-dc ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    trusted
    target: ACCEPT
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    work
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    [/code]
    "forward: no" on all, masquerade: no on all except on "external". Is this the cause?

  6. #16
    Join Date
    Sep 2012
    Posts
    6,972

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    About 70-yast.conf:
    So this is not necessarily what was read at system boot? The file time stamp says it was last modified yesterday, about the time I last fiddled with these settings with Yast, though. Shouldn't it show if the file was modified after that, i.e. after booting this morning?
    I do not understand this question. File timestamp is when YaST wrote this file.
    "forward: no" on all, masquerade: no on all except on "external". Is this the cause?
    Yes. Somehow you managed to include all output inside [quote]...[/quote] tags so it is not included on reply and I cannot quote it. But if masquerading is enabled in one of active or default zone, firewalld automatically turns on forwarding. Firewalld runs after sysctl files have been processed so it overrides whatever was set by YaST.

  7. #17
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    Returning to manual quoting until I learn to use this forum.
    Fascinating what you can achieve when you don't know what you're doing...

    "As I already said, anyone and any program can at any time change any sysctl value."
    -I thought you meant that this file possibly/probably has been changed by someone/something without me knowing it. But obviously it was not.

    So, if I get a hang of this new-to-me "firewall-config", I will find a way to change this setting?
    Or, as the setting probably comes from some config file (/etc/firewalld/firewalld.conf seems not to be the one) by editing the config file directly. If I find it...

  8. #18
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,456

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    The file time stamp says it was last modified yesterday,
    Please be careful with respect to *NIX file timestamps –
    • If, the “noatime” mount option then, the timestamp related to “Time Of Day last accessed” will not be written …

    Code:
     > LANG=C stat /etc/sysctl.d/70-yast.conf 
      File: /etc/sysctl.d/70-yast.conf
      Size: 109             Blocks: 8          IO Block: 4096   regular file
    Device: 802h/2050d      Inode: 4064905     Links: 1
    Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2021-07-14 15:34:27.359950528 +0200
    Modify: 2021-07-14 15:34:04.195950844 +0200
    Change: 2021-07-14 15:34:04.195950844 +0200
     Birth: 2020-08-18 15:20:44.268000052 +0200
     >
    The only indication of when the file was last read, are the timestamps related to the “systemd-sysctl.service” …

  9. #19
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    dcurtisfra:
    OK, understood (somehow...).
    Thanks

  10. #20
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    "So, if I get a hang of this new-to-me "firewall-config", I will find a way to change this setting?"

    Well, there it is, staring right at your face.

    Code:
    staticlx153:~ # firewall-cmd --list-all-zones
    block
      target: %%REJECT%%
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services:  
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    dmz
      target: default
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services: ssh
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    docker (active)
      target: ACCEPT
      icmp-block-inversion: no
      interfaces: docker0
      sources:  
      services:  
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    drop
      target: DROP
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services:  
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    external (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth1_WW
      sources:  
      services: ssh
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    home
      target: default
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services: dhcpv6-client mdns samba-client ssh
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    internal (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0_LAN
      sources:  
      services: dhcpv6-client mdns nfs nfs3 rpc-bind samba samba-client samba-dc ssh
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    public
      target: default
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services: dhcpv6-client
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    trusted
      target: ACCEPT
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services:  
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:  
    
    work
      target: default
      icmp-block-inversion: no
      interfaces:  
      sources:  
      services: dhcpv6-client ssh
      ports:  
      protocols:  
      forward: no
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules:
    Looks like problem solved.
    Thanks everyone

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •