I’m trying to correctly configure firewalld in order to enable some services.
This is my current configuration:
~> firewall-cmd --state
running
~> sudo firewall-cmd --zone=home --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client http kdeconnect-kde mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
~> sudo nmap -sT -O localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-20 19:50 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00031s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed ports
PORT STATE SERVICE
25/tcp open smtp
631/tcp open ipp
3306/tcp open mysql
8080/tcp open http-proxy
8443/tcp open https-alt
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds
From this, everything seems to be working fine, but if I’m unable to connect (or even see) these ports from an Android phone, connected to the same wifi network as my laptop. More precisely, I’ve used Fing to scan for open ports on my computer, and none was detected.
I’m also unable to access some local developed websites that I’m trying to expose to the local network via http (8080 port), in order to test on mobile devices (which is the reason why I’m trying to make this work).
However, if I disable the firewall with
sudo systemctl stop firewalld
I can detect that HTTP ports are open, and I can normally navigate on my local websites from my phone’s browser.
While I do not quite understand your problem, I get the idea that you check what ports can be reached at localhost and then think that those ports can be reached from another system. That is not the case. Localhost can only be reached from the local host. Traffic to localhost is not even real network traffic and will thus not be blocked by the firewall.
Well, I don’t really know. But I’ll comment on what I did for ssh with Leap 15.1 Beta.
I forgot to open the ssh port during install. So I brought up firewalld configuration.
I added “ssh” to the ports. And it looked okay. But it still did not work.
So I added my network interface to a zone. And then it worked.
I’m not sure whether it matters what zone. Looking at the GUI, ‘ssh’ seemed to be available in all zone, but not working. And the interface showed a zone of “default”. So maybe the default is to not be in any zone and as soon as I add it to a zone it works.
The configuration GUI for 15.1 is very different from that for 15.0. I have not recently looked at the one for Tumbleweed, but since changes usually start on Tumbleweed, it might be the same as 15.1.
My network interface already is in the “home” zone, where I have enable the “http” service, but I’m still unable to connect.
Not manually, but I’ve enable the “http” firewall service; from what I understand these services are just sets of predefined ports that one can enable instead of manually do that for every single port associated with it.
A scan with nmap shows me that HTTP ports are opened, but I cant access them from other devices on the same network.
When you mean with that nmap scan the one you show in post #1 above, where you check localhost, I tried aelready to explain to you that that only shows that programs are listening on those ports and that they can be reached from the local system.
Firewalls have no influence on local traffic. They block traffic from outside. You should scan with nmap from another system on the LAN.
When you mean that you did a scan with nmap from aonother system, then please show the results. To put it blunt and inpolite, we do not believe what you say (your conclusions), we believe what the computer says and then try to draw our own conclusions.
Same for your conclusion that the firewall is open for http. Your listing in post #1 shows http, but later you mention that you are using 8080, which is http-alt (and you were advised to open that in the firewall). So again SHOW the listing from your firewall as it is now.