Firewalld service inactive (dead)

English Applications
#1

Why is firewalld service not active after reboot? How to fix it?

sudo service firewalld status
[sudo] пароль для root:  
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disab
   Active: inactive (dead)
     Docs: man:firewalld(1)



cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20180330"
ID=opensuse
ID_LIKE="suse"
VERSION_ID="20180330"
PRETTY_NAME="openSUSE Tumbleweed"

http://images.vfl.ru/ii/1522605395/52806ab8/21206959_m.png

#2

have you ran a recent update

zypper dup

afaik on TW firewalld has replaced SUSEfirewall
if SUSEfirewall is still alive and working on your machine it could be affecting firewalld
you can use yast service manager to check if SUSEfirewall is still there and to activate firewalld
see
https://forums.opensuse.org/showthread.php/530165-Tumbleweed-update

#3

Done.

It helped, thanks.

#4

Tell me please, why ifconfig does not work for Tumbleweed ? It’s a surprise for me:

sudo ifconfig
sudo: ifconfig: command not found
#5

The ‘net-tools’ package has been deprecated for some time now and no longer included by default. Instead the ‘ip’ command and others can be used. For example, to get interfaces and assigned addresses…

ip a

Routing…

ip r
#6

For your interest…

https://software.opensuse.org/package/net-tools-deprecated

net-tools-deprecated

Deprecated Networking Utilities

This package contains the deprecated network utilities arp, ifconfig, netstat and route, which have been replaced by tools from the iproute2 package: * arp -> ip -r] neigh * ifconfig -> ip a * netstat -> ss -r] * route -> ip r

#7

Or if you are a fan of vintage computing (or just putting off updating a pile of scripts):

sudo zypper in net-tools-deprecated
#8

OK, thank you!
What do you think, I must enter eth0 and ppp0 in the firewall settings (“Interfaces” tab)? or eth0 only? If I do not do this (“Interfaces” tab is empty), will the firewall work?

ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:25:22:bb:5f:e9 brd ff:ff:ff:ff:ff:ff
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp  
    inet 100.65.171.237 peer 100.65.168.1/32 scope global ppp0
       valid_lft forever preferred_lft forever
#9

There should be no need to add the interfaces explicitly. By default, both eth0 and ppp0 (when active) will be assigned to the public zone by default.

For example, when I have firewalld active on a normal ethernet connection and a VPN active…

firewall-cmd --list-all-zones

I get…

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 ppp0
#10

There is a good link about firewalld:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

#11

For eth0 it works, thank you.
But I’m need to add ppp0 explicitly, otherwise firewalld does not see it.
Tell me, am I doing something wrong?

alex@linux-yz6z:~> sudo pppoe-start  # I turn on ppp0.                                      
[sudo] пароль для root: 
alex@linux-yz6z:~> sudo firewall-cmd --zone=drop --list-all       
drop (active)
  target: DROP
  icmp-block-inversion: yes
  interfaces: eth0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

pppoe config

** Summary of what you entered **


Ethernet Interface: eth0
User name:          szt
Activate-on-demand: No
Primary DNS:        8.8.8.8
Secondary DNS:      8.8.4.4
Firewalling:        NONE
User Control:       yes
Accept these settings and adjust configuration files (y/n)? y
Adjusting /etc/sysconfig/network/ifcfg-ppp0
Adjusting /etc/resolv.conf
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
  (But first backing it up to /etc/ppp/chap-secrets.bak)
  (But first backing it up to /etc/ppp/pap-secrets.bak)
Congratulations, it should be all set up!
#12

Firewalld-cmd --permanent --change-zone=ppp0 --zone=drop

#13

By default the public zone is used (unless you have previously changed the default zone). You should have checked the public zone when the ppp0 interface is active.

Anyway, you can change it with something like

firewall-cmd --zone=drop --change-interface=ppp0

This will apply to the current firewall session. To make it permanent (future sessions), do

firewall-cmd --permanent --zone=drop --change-interface=ppp0
#14

OK. Tell me, is that all I had to do?
Any ideas?

alex@linux-1fj7:~> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:25:22:bb:5f:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:22ff:febb:5fe9/64 scope link 
       valid_lft forever preferred_lft forever
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp 
    inet 100.81.172.217 peer 100.65.240.1/32 scope global ppp0
       valid_lft forever preferred_lft forever
alex@linux-1fj7:~> ip r
default dev ppp0 scope link 
100.65.240.1 dev ppp0 proto kernel scope link src 100.81.172.217 


alex@linux-1fj7:~> sudo firewall-cmd --list-all
[sudo] пароль для root: 
drop (active)
  target: DROP
  icmp-block-inversion: yes
  interfaces: enp1s0 ppp0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
#15

Yes, if your intention is to require both these interfaces to be included in this zone. Is everything working as expected?

#16

I hope so. :slight_smile:
I have a gray IP (private IP address).
Please tell me how to verify that the firewall is reliable? I think this web service will not help?

#17

As this is an English-speaking forum, I can really only advise sites using that language. There are lots of online firewall test sites that you can try using eg

http://www.malwarehelp.org/online_firewall_and_port_scanners.html
https://hackertarget.com/firewall-test/

#18

OK. But you did not understand me. Sorry for my bad English.

I have a ‘private IP address’ (local IP address).
All these online firewall tests will tell me about the network screen of the server of the Internet provider, from which I receive an internal IP.
Right?
But I’m not sure that I will get an answer about protecting the firewall of my workstation.

#19

Correct.

But I’m not sure that I will get an answer about protecting the firewall of my workstation.

Do you mean from other hosts within your LAN? Internet?

#20

The simple answer is that as ppp0 and eth0 are both in the ‘drop’ zone, then the firewall rules will apply equally to both, and all unsolicited incoming packets should be dropped

drop

Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

https://firewalld.org/documentation/zone/predefined-zones.html

You should be able to observe the logging (/var/log/firewalld). Dropped packets can be logged according to the ‘LogDenied=’ setting in /etc/firewalld/firewalld.conf

https://firewalld.org/documentation/configuration/firewalld-conf.html