Firewall Config and Getting NFS client to work.

Seems that things have changed between 42.3 and 15 and I have not a clue how to set up firewall and NFS client. Firewall.config was not installed so I installed it but still nothing works. I need a clue please because all this worked fine with 42.3.

Things have moved on, the new fire wall is called firewalld. Should be notes in the release document. and here https://en.opensuse.org/Firewalld

I wonder if this is a connection tracking issue here? If so, the advice I gave in the following post will be of relevance…
https://forums.opensuse.org/showthread.php/531702-Configure-Samba-for-a-Workgroup-in-the-local-LAN-Leap-15-firewall-blocks-outgoing-samba?p=2870109#post2870109

Hi to gogalthorp and deano, many thanks for the info. It was a bit strange that not all the components had been installed but eventually I managed to start with filewalld. Too much info for me and too many options. Where is the idiots guide just to get started with what I had before and used to work. I have a new installation so am not migrating from 42.3 in this case. Which wiki should I start with because if I go to man pages I shall be on version 16 before I finish!!! Do I need the automatic helper I ask?

One step at a time Budgie2. Are you having trouble accessing your NFS shares from your Leap 15 machine? Can you do so when the firewalld is stopped?

sudo systemctl stop firewalld

Firewalld documentation…
https://firewalld.org/documentation/
This covers the CLI and GUI tools. If you get stuck or are confused about something, post here and we’ll help clarify further as needed.

Do I need the automatic helper I ask?

Only if you have a connection tracking issue :wink:

Security changes implemented in kernel 4.7.x onwards include disabling connection tracking helpers by default. This can be enabled via /etc/sysctl.conf

sysctl net.netfilter.nf_conntrack_helper=1

or if using firewalld, then it can be enabled there as well (as explained in the post I linked to previously).

The status can be verified with

cat /proc/sys/net/netfilter/nf_conntrack_helper

References
https://bugzilla.redhat.com/show_bug.cgi?id=1369489

Hi Deano and yes one step at a time please. I stopped firewalld (in fact I am sure it hadn’t started) and NFS is not running. The way I used to have NFS worked has not been changed but no joy yet!

Hoped to have heard from you but meanwhile it seems the setting up of NFS client is quite different. I cannot browse to select the NFS local folder folder in my home directory. In fact I do not recognise any of it.

Deleted NFS Client and started over and this time I can browse as usual. One step further on so getting there. Will need to do some more work if I am to get NFS v4 working.

I was asleep. Different time zone to you. :wink:

Good, that reads like progress…and of course you can always refer to the openSUSE documentation when things aren’t clear to you…

https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.nfs.html#sec.nfs.configuring-nfs-clients

Hi Deano,
Forget NFS for now as I want to get to grips with Firewalld. Having read quite a bit it seems the new firewalld system is clearly superior to old system both in versatility and security. Most of it well beyond me but I understand the point. What I now need is a one step at a time way forward. First step is to start firewalld which it seems cannot be done by yast so have done it with

sudo systemctl start firewalld.

This seems to do the trick but I assume I must make permanent by using firewall-cmd --runtime-to-permanent. Is that correct?

No, you’re confusing the service with a firewalld config command. This will ensure that the service is enabled and so started permanently at boot…

sudo systemctl enable firewalld

Hi Deano, it seems there is a problem. If I start the firewall as per the above code all is well but if I shut down and reboot the firewalld does not start and I must start it again.
There is a very short warning message right at the beginning, too fast for me to see but something like “Failed to Startup Virtual Console” and boot continues OK but no firewalld.
Any ideas?

Can you show us the status of SuSEfirewall2 and firewalld please?

sudo systemctl status SuSEfirewall2
sudo systemctl status firewalld
 SuSEfirewall2.service - SuSEfirewall2 phase 2
   Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2018-09-05 09:16:44 BST; 4h 58min ago
  Process: 3255 ExecStop=/usr/sbin/SuSEfirewall2 systemd_stop (code=exited, status=0/SUCCESS)
  Process: 1493 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS)
 Main PID: 1493 (code=exited, status=0/SUCCESS)

Sep 05 09:13:23 linux-jqbk systemd[1]: Starting SuSEfirewall2 phase 2...
Sep 05 09:13:23 linux-jqbk SuSEfirewall2[1493]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Sep 05 09:13:23 linux-jqbk SuSEfirewall2[1493]: using default zone 'ext' for interface eth0
Sep 05 09:13:23 linux-jqbk SuSEfirewall2[1493]: using default zone 'ext' for interface wlan0
Sep 05 09:13:23 linux-jqbk SuSEfirewall2[1493]: using default zone 'ext' for interface wwan0
Sep 05 09:13:25 linux-jqbk SuSEfirewall2[1493]: Firewall rules successfully set
Sep 05 09:13:25 linux-jqbk systemd[1]: Started SuSEfirewall2 phase 2.
Sep 05 09:16:44 linux-jqbk.suse systemd[1]: Stopping SuSEfirewall2 phase 2...
Sep 05 09:16:44 linux-jqbk.suse SuSEfirewall2[3255]: Firewall rules unloaded.                                                                                               
Sep 05 09:16:44 linux-jqbk.suse systemd[1]: Stopped SuSEfirewall2 phase 2.                                                                                                  
alastair@linux-jqbk:~> 


● firewalld.service - firewalld - dynamic firewall daemon                                                                                                                   
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)                                                                             
   Active: active (running) since Wed 2018-09-05 09:16:46 BST; 5h 0min ago                                                                                                  
     Docs: man:firewalld(1)                                                                                                                                                 
 Main PID: 3254 (firewalld)                                                                                                                                                 
    Tasks: 2 (limit: 4915)                                                                                                                                                  
   CGroup: /system.slice/firewalld.service                                                                                                                                  
           └─3254 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid                                                                                                 
                                                                                                                                                                            
Sep 05 09:16:44 linux-jqbk.suse systemd[1]: Starting firewalld - dynamic firewall daemon...                                                                                 
Sep 05 09:16:46 linux-jqbk.suse systemd[1]: Started firewalld - dynamic firewall daemon.                                                                                    
alastair@linux-jqbk:~> 


Hope this helps

As you can see, both SuSEfirewall2 and firewalld are active. Stop and disable SuSEfirewall2 with

sudo systemctl stop SuSEfirewall2
sudo systemctl disable SuSEfirewall2

The legacy firewall remains in place from upgrades to Leap 15, primarily so that users who have custom firewall configurations can continue to use it until able to migrate to firewalld, but only one should be active. Otherwise only firewalld should be in use (assuming that a firewall is even required).

Hi Deano, many thanks. I had assumed the old firewall had not been included or started with new install. Sorted it out now thanks.
May need help later configuring but so far so good.
Thanks again,
Budgie2

Is firewalld also a front-end configuration program for the Netfilter firewall in the Linux kernel, like SUSEfirewall2 and IPtables, or is it a new firewall implementation altogether? Can IPfilter / Netfilter still be used in place of firewalld? I imagine SUSEfirewall2 will be removed eventually, but it should be simple to migrate if Netfilter is common to all.

The description at Firewalld - openSUSE Wiki states that firewalld “also supports an interface for services or applications to add firewall rules directly. Firewalld is well maintained, and it is already supported in some applications or libraries.”

But isn’t that a little dangerous without some iron-clad system of O/S rights-identifiers and access-control lists?

David L.