Firewalld manual and examples not what I expected.

English Applications
#1

I am trying to get to grips with the firewall on Tumbleweed.

Last time I tried configuring the firewall I was not using Tumbleweed. I remember the firewalld as described in the manual and gui manual. This was on an earlier openSUSE version (15.0 or earlier). Now I am on Tumbleweed and am trying to understand it so I can get minimserver working again and it all looks different. Please could somebody point me towards the correct idiots guide to get me started.
Regards,
Budgie2

#2

Hi
YaST and firewall config? If the package is packaged with a firewalld service, then it should appear in the list of applications to allow… or do you know which ports need to be open? Else turn off the firewall and from another computer nmap the system running minimserver to see what it’s using.

#3

Up until LEAP 42.3, you were probably using the simpler SuSEFW2.
Since then, we’ve been using the more complex but also more capable firewalld.
When I have a question about firewalld, I usually reach for the online documentation

https://firewalld.org/documentation/

If you have specific questions, go ahead and post…

TSU

#4

Hi
Way to complicated :wink: I installed synergy for my virtual machines, went into YaST firewall, look in the list for home zone, add synergy to the home zone and done <shrug>

#5

All depends on what your needs are.
If the service you want to expose is pre-defined, then it’s easy.
Or at least, not terribly difficult to understand if you at least understand temporary runtime mode and how to make your settings persistent.

TSU

#6

Hi
If it’s an openSUSE package from a development repo it is done (if not a bug report should be created)

#7

I hadn’t looked at this new YaST module for awhile…
With what is in an updated TW I see something new that replaces the very complicated firewall-config,

Looks like it’s an attempt to provide a very simple interface for firewall configuration.
Problem for me is…
It strips out all levels of complexity so you’re left with only a very flat level of accessibility so it’s now lacking in a serious way features which are common in all FW configurations… like…

  • Some way of looking at exactly what a service does or doesn’t do. At least in the YaST module, all you can see is the name(label) of the service, no way to know what ports are opened or blocked.
  • No way to create a new service, only open ports. This will generally mean that the custom configuration you create will only be known by the ports you open and you might not remember later why and for what reason you opened those ports.

The two “services” I specifically looked for to evaluate whether the firewall configuration “is sufficient” are two I feel are the most complex I’ve had to configure… AMANDA and SIP, plus the well known FTP PASV I assume is so standard it just has to be there. In all three instances, the current tool fails.

There are AMANDA client and AMANDA kerberos client configurations, but no AMANDA server configuration. I guess someone thinks that no one will run AMANDA server on openSUSE (although it’s in the OSS). AMANDA is very hard to configure because it requires configuring secondary ports and you may want to enable stateful inspection to dynamically open the secondary ports instead of leaving them open all the time.

There is no entry for SIP. So I guess people are going to have to configure settings for their SIP softphones manually. SIP is a complex protocol that involves control, location and multimedia (audio and/or video), each likely handled differently on different ports so like AMANDA can be helpful if pre-configured.

There is an entry for FTP, but as I described above, there is no hint whether the configuration supports Active (ports 21 and 20) or PASV (ports 21 and a defined range of secondary ports).

The YaST module is a good idea and removes a tremendous amount of complexity from the firewall-config tool, but as it now exists looks like a lot of details are not addressed… Needs to be reviewed and debugged/improved at least to what is commonly found in a minimal FW tool… maybe the previous SuSEFW2 tool should be the standard the new tool should at least try to achieve(but of course incorporating new available features not exposed by the old tool).

IMO,
TSU

#8

I agree with your assessment, but I see (=assume) the YaST module is work in progress, and for most competent users firewall-config would likely be considered the most effective graphical utility to use. IMHO, firewall-config tool is not difficult to use for “typical” use cases.

#9

Hi Malcolm,
Been busy on other stuff but I liked your suggestion or rather the idea but I will need help understanding please. I can turn off the firewall on this computer which is the one I want to use eventually to access the application running on NAS.
I have a laptop on which I can run nmap but seek your guidance on how to find the information I shall need. Will make a start with nmap and see how I get on.

#10

Hi Malcolm here are the findings of my very simple scan. 224 is the address of the workstation and 130 is the address of the NAS.
With firewall running I get:

alastair@AJBR-W530:~> nmap 192.168.169.224
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 18:18 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.04 seconds

And the NAS:-

alastair@AJBR-W530:~> nmap 192.168.169.130
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 18:19 BST
Nmap scan report for 192.168.169.130
Host is up (0.0069s latency).
Not shown: 987 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
631/tcp   open  ipp
873/tcp   open  rsync
2049/tcp  open  nfs
8080/tcp  open  http-proxy
9000/tcp  open  cslistener
30000/tcp open  ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
alastair@AJBR-W530:~>

With firewall off I get:-

alastair@AJBR-W530:~> nmap 192.168.169.224
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 18:21 BST
Nmap scan report for 192.168.169.224
Host is up (0.0063s latency).
All 1000 scanned ports on 192.168.169.224 are closed

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
alastair@AJBR-W530:~>

I do not understand why this tells me all the ports are closed because with the FW inactive my application can see the NAS and works.

I shall need a bit of help with the zones and interfaces here too as I am not sure which I should be trying to set.

Grateful for your help when you have a moment.

#11

Because no application is listening on any port.

#12

Hi
So what service are you using to connect to the NAS, samba? If so in the add the samba-client to the default firewall zone your system is set to.

What arvidjaar said :wink:

Try localhost instead of your external ip address.


nmap localhost

Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 16:51 CDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
631/tcp   open  ipp
24800/tcp open  unknown

I use the following to see what zone and services are in use (as root user);


firewall-cmd --list-all

The gui shows the interfaces and zones, should be self explanatory?