Cleaning up my YaST Firewall

mprowe · March 6, 2024, 2:31pm

In an earlier exercise to get a 3D printer app to connect to the printer, I (unsuccessfully) made some changes to my YaST Firewall. I am now revisiting that exercise to do the job properly.
However, I still have (an unknown) number of changes in the config files.

How do I clear out all the old dross and go back to defaults?
Regards, Martin

suse_rasputin · March 6, 2024, 3:15pm

Questions:

which “Zone(s)” do your Interfaces use?
you understand that only the RIGHT column (“Allowed”) is relevant?

mprowe · March 6, 2024, 3:41pm

… and I understand nothing!

suse_rasputin · March 6, 2024, 4:05pm

output of

ip a

?

mprowe · March 6, 2024, 4:45pm

mprowe@Gzunder:~> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether c8:7f:54:5a:b6:a1 brd ff:ff:ff:ff:ff:ff
    altname eno1
    altname enp5s0
    inet 192.168.0.235/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
       valid_lft 42443sec preferred_lft 42443sec
    inet6 fd2a:a478:e283::d1e/128 scope global dynamic noprefixroute 
       valid_lft 42444sec preferred_lft 42444sec
    inet6 fd77:643:e0a2:0:3bb6:d575:981c:e33c/64 scope global temporary dynamic 
       valid_lft 604044sec preferred_lft 85054sec
    inet6 fd77:643:e0a2:0:d62c:de7d:bbe:81be/64 scope global mngtmpaddr noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fd2a:a478:e283:0:56fb:b929:383:8ee6/64 scope global temporary dynamic 
       valid_lft 604044sec preferred_lft 85054sec
    inet6 fd2a:a478:e283:0:7771:a83a:7b05:542d/64 scope global mngtmpaddr noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::9003:6e18:3b3d:2f18/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:90:b7:29:57:30 brd ff:ff:ff:ff:ff:ff permaddr c4:bd:e5:7e:d1:8c
    altname wlp0s20f3
mprowe@Gzunder:~>

arvidjaar · March 6, 2024, 5:46pm

Stop firewalld and delete files under /etc/firewalld/{zones,services,...}.

And what exactly is your question?

mprowe · March 6, 2024, 7:52pm

Thanks.
Are the eilipses “…” a place holder? Am I clearing out ALL the contents of /etc/firewalld/ ?

arvidjaar · March 7, 2024, 4:14am

Yes.

No. You are clearing the contents of the subdirectories in /etc/firewalld.

pavinjoseph · March 7, 2024, 5:04am

You have to do this per-zone and/or for your default zone:

# get default zone
sudo firewall-cmd --get-default-zone
# Output is "public" for me, maybe something else like "home" for you
# reset zone to default
sudo firewall-cmd --load-zone-defaults=public
# reload firewalld
sudo firewall-cmd --reload

mprowe · March 9, 2024, 10:10am

Not going well…

mprowe@Gzunder:~> sudo firewall-cmd --get-default-zone
[sudo] password for root: 
public
mprowe@Gzunder:~> sudo firewall-cmd --load-zone-defaults=public
usage: see firewall-cmd man page
Option can be used only with --permanent.
mprowe@Gzunder:~> sudo firewall-cmd --load-zone-defaults=public --permanent
Error: NO_DEFAULTS: public
mprowe@Gzunder:~>

arvidjaar · March 9, 2024, 11:33am

This simply means that zone public was not customized. Yes, error message could have been better.

pavinjoseph · March 9, 2024, 1:44pm

My bad, I forgot to add permanent to the command.

Updated/fixed steps:

# get all active zones
# each zone will be assigned to one or more interfaces like ethernet, wifi, etc.
# the default zone will have it shown in parentheses next to the zone name.
sudo firewall-cmd --get-active-zones
# reset each zone to default
# here I'm resetting the zone named "public" to its defaults
sudo firewall-cmd --load-zone-defaults=public --permanent
# reload firewalld for changes to take effect
sudo firewall-cmd --reload

arvidjaar · March 9, 2024, 1:59pm

It only resets zones, but not any other firewalld object (like service). And it only resets the currently active zones which depends on which interface is up.

pavinjoseph · March 9, 2024, 2:19pm

Hmm, this is right.
Maybe deleting everything in /etc/firewalld/services and others after backing it up is the only way…

suse_rasputin · March 10, 2024, 5:13pm

Had these “missing interfaces” on two fresh TW KDE installs today. In Yast “Firewall” → “Interfaces” I pressed “Custom” and added manually the interface (name as in output of “ip a”) and adding a “Zone”.

Afterwards I editted the “Zone” to remove mDNS and ipv6 etc…

arvidjaar · March 10, 2024, 5:18pm

YaST Firewall only supports interfaces managed by wicked, which has been mentioned on this forum more than once. NetworkManager has native support for defining firewalld zone per connection and quite likely will override whatever you did in YaST Firewall.

suse_rasputin · March 10, 2024, 5:22pm

This forum is not part of a TW install, so why is there no info when opening the YaST Firewall plugin that it has no effect if using NetworkManager?

arvidjaar · March 10, 2024, 5:23pm

I do not know. Have you tried asking the developers?

suse_rasputin · March 28, 2024, 9:16am

The Networkmanager uses zones like the YaST plugin, but where are these zones defined? In the YaST plugin maybe?

deano_ferrari · March 31, 2024, 9:18pm

Do you mean the defined firewalld zones?

ls -l /usr/lib/firewalld/zones/

This forum is not part of a TW install, so why is there no info when opening the YaST Firewall plugin that it has no effect if using NetworkManager?

It’s not that it doesn’t have any effect, it is that NM can override the zone settings.