Installed Leap 15.3, now Win10 Cygwin cannot get through Linux Firewall

I was using OpenSuSE Leap 15.2, with my nVidia Geforce GTX 970 graphics card, and all was well. I was offered a Nouveau (graphics driver) update, with a warning that 3D functionality (which I use) may be lost, so I refused it. It was offered again on several successive days, with the same set of updates: it seemed that the refusal was cutting off later updates, which seemed a bad idea. With misgivings, I accepted the Nouveau update: and my 3D capability was lost. In attempting to regain my old functionality, I trashed my system — not deliberately!

I decided to be positive, performed a new install to Leap 15.3, refused Nouveau, and so had a working system — although 3D capability is yet to be restored.

But I now have a higher priority problem. I use rsync (to removable HDDs) to back up my Linux system. I also have a separate Win10 PC, and have successfully been using Cygwin on the PC to back up Win10 files via ssh and Linux sshd to a designated folder on my Linux machine: they are included in my Linux rsync to removable HDDs. Until I moved to Leap 15.3 all worked fine — the inter-machine rsync used ssh to cross through the Win10 and Leap 15.2 firewalls without issue.

However, I now have a problem I do not understand. The inter-machine rsync works fine through the Win10 firewall with the Linux firewall turned off (and the internet disconnected!), but fails with the Linux firewall also turned on. Symptoms, as seen on the Cygwin terminal:

No Linux firewall:

(root@192.168.101.3) Password:
etc — works fine.

telnet 192.168.101.3 22
opens telnet connection fine.

Linux firewall working:

ssh: connect to host 192.168.101.3 port 22: Connection timed out
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(228) [sender=3.2.4dev]

$ telnet 192.168.101.3 22
Connecting To 192.168.101.3…Could not open connection to the host, on port 22: Connect failed

I assume the problem is with the setup of the Leap 15.3 firewall, which I have been changing through yast2. There seems very little to set up. For the “home” and “internal” Zones (this is my home network) ssh and rsyncd services are allowed, with ports 22 and 873 (just in case). The yast2 hostnames includes IP addresses and hostnames of Win10 and Leap 15.3 systems respectively.

It is less obvious to me what needs to be set up at the Win10 Cygwin end, but that seems to work if the Leap 15.3 firewall is down.

Any suggestions, anyone?

Start with showing output of

ip a
firewall-cmd --list-all

in tags [noparse]

...

[/noparse]

Hopefully, this is what you meant, invoked on Leap 15.3. Apparently no ports set, but they were set in yast2 firewall:

lee@mozart:~> ip a 
1: **lo: **<LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
    link/loopback **00:00:00:00:00:00** brd **00:00:00:00:00:00**
    inet **127.0.0.1**/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 **::1**/128 scope host  
       valid_lft forever preferred_lft forever 
2: **eth0: **<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state **UP **group default qlen 1000 
    link/ether **00:1f:1f:fa:8d:8f** brd **ff:ff:ff:ff:ff:ff**
    altname enp9s0 
    inet **192.168.101.3**/24 brd **192.168.101.255 **scope global dynamic noprefixroute eth0 
       valid_lft 85459sec preferred_lft 85459sec 
    inet6 **fe80::21f:1fff:fefa:8d8f**/64 scope link noprefixroute  
       valid_lft forever preferred_lft forever 
3: **eth1: **<NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state **DOWN **group default qlen 1000 
    link/ether **54:04:a6:2f:41:03** brd **ff:ff:ff:ff:ff:ff**
    altname eno1 
    altname enp0s25 
lee@mozart:~> firewall-cmd --list-all 
public (active) 
  target: default 
  icmp-block-inversion: no 
  interfaces: eth0 
  sources:  
  services: dhcpv6-client 
  ports:  
  protocols:  
  forward: no 
  masquerade: no 
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  
lee@mozart:~> 

It does not mean these ports are used.

lee@mozart:~> firewall-cmd --list-all 
public (active) 
  target: default 
  icmp-block-inversion: no 
  interfaces: eth0 

Your only interface is bound to zone “public”. So only rules from this zone are used.

How do you expect firewalld to know that “home” and “internal” zones are your home network? You seem to misunderstand how firewalld works. Zone is collection of rules to apply to incoming packets. Rules from zone definition are used only when zone is active. Zone is active when it is bound to active interface/connection. Zone can be bound to interface either statically (in zone definition) or dynamically (both wicked and NetworkManager support zone name as property of interface/connection and inform firewalld to bind this zone to interface when connection is activated).

So you need one of

  • assign interface eth0 to zone “home” or “internal” in firewalld configuration (you can only bind interface to a single zone)
  • configure your network management program (wicked or NetworkManager) to explicitly use one of zones where you added your ports
  • add ports to “public” zone.

First, thank you arvidjaar for very helpful comments. I think I now have things set up, in the sense that the Win10 Cygwin rsync works through both firewalls, and I still have access to the internet. Evidently, I forgot to set up the Interfaces in yast2 firewall.

However, my Interfaces show two devices. One is eth0 set to Zone home, which I am happy with. However, I seem to have a “docker0”, which for the moment I have set to block. What is docker0? A USB connection??

Repeating your requested invocations:

**mozart:/raid/lee/utils #** ip a 
1: **lo: **<LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
    link/loopback **00:00:00:00:00:00** brd **00:00:00:00:00:00** 
    inet **127.0.0.1**/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 **::1**/128 scope host  
       valid_lft forever preferred_lft forever 
2: **eth0: **<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state **UP **group default qlen 1000 
    link/ether **00:1f:1f:fa:8d:8f** brd **ff:ff:ff:ff:ff:ff** 
    altname enp9s0 
    inet **192.168.101.3**/24 brd **192.168.101.255 **scope global eth0 
       valid_lft forever preferred_lft forever 
3: **eth1: **<NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state **DOWN **group default qlen 1000 
    link/ether **54:04:a6:2f:41:03** brd **ff:ff:ff:ff:ff:ff** 
    altname eno1 
    altname enp0s25


seems essentially unchanged. However, I am still concerned at your other one:

lee@mozart:/raid/lee/utils> firewall-cmd --list-all 
You're performing an operation over default zone ('public'), 
but your connections/interfaces are in zone 'docker,home' (see --get-active-zones) 
You most likely need to use --zone=docker option. 

public 
  target: default 
  icmp-block-inversion: no 
  interfaces:  
  sources:  
  services: dhcpv6-client 
  ports:  
  protocols:  
  forward: no 
  masquerade: no 
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  
lee@mozart:/raid/lee/utils> 

Still a reference to “public” (although I am obviously on the internet as I type), and this “docker” seems to be coming up. What is happening here, and am I safe from the internet? I have allowed services on the “home” zone; otherwise “public” is dhcpv6-client.

Unfortunately, firewalld does not really provide an option to list complete effective configuration. There is default zone (which defaults to “public”) that is used if no other zone is explicitly bound to interface. Also, command “firewall-cmd --list-all” always applies to specific zone, if nothing is given explicitly, it is default zone which is “public”. That is the reason you see reference to public.

As for docker0 - if interface name is statically defined in firewalld configuration, firewalld always creates rules for this interface. Interface need not exist to be used in netfilter rules. And default configuration shipped with firewalld includes zone “docker” with single interface “docker0”.

So to check what configuration is active you could use

localhost:~ # firewall-cmd --get-active-zones 
docker
  interfaces: docker0
localhost:~ # firewall-cmd --get-zone-of-interface=enp0s3
no zone
localhost:~ # 

If no zone is explicitly bound to your interface, rules from default zone will be applied

localhost:~ # firewall-cmd --get-default-zone 
public
localhost:~ # 

And now you can use “firewall-cmd --zone=XXX --list-all” for each zone mentioned in the output above to check enabled ports.

Again, my thanks to arvidjaar.

I think I am now OK. Suggested invocations were:

**mozart:/home/lee #** firewall-cmd --get-active-zones 
home 
  interfaces: eth0 
**mozart:/home/lee #** firewall-cmd --get-zone-of-interface=enp0s3 
no zone
**mozart:/home/lee #** firewall-cmd --zone=home --list-all 
home (active) 
  target: default 
  icmp-block-inversion: no 
  interfaces: eth0 
  sources:  
  services: dhcpv6-client mdns rsyncd samba samba-client ssh 
  ports: 22/tcp 873/tcp 
  protocols:  
  forward: no 
  masquerade: no 
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules: 


… which seems as expected. I gather docker0 is a bridge (to a virtual system??) to something I do not have, so I have given it a zone of “block”. I also checked the system with the Gibson Research Shields Up, which seems to suggest I am safe.

So how did all this happen? In previous incarnations of OpenSuSE I have always set network details manually: generally a very slow and tedious process, but at least you understand what you have done. On Leap 15.2 I was faced with an unfamiliar “Wicked” network manager — it was different, but I was still able to set up manually. For Leap 15.3 I was given the default NetworkManager, and I thought I would go along with it. All remarkably quick, and through to the internet immediately: amazing. However, yast2 displayed a Warning Dialogue box: “Network is currently handled by NetworkManager or completely disabled. YaST is unable to configure some options” — leaving me feeling somewhat disempowered. I then discovered that NetworkManager had changed the machine’s local URL, which had consequences. Following your help, I changed to Wicked, removed DHCP, set the router to its explicit URL, set the DNSs to addresses I had tested, and (of course) now remembered to set the firewall zone to “home”. The NetworkManager had left me somewhat bamboozled! My gut feeling is now to give NetworkManager its head, and then immediately switch to Wicked to clean up its mess. As you noted, the software does not necessarily know what you want to do — although yast2/NetworkManager could have been more helpful in advice for those using it for the first time.

So, again, my thanks for your help and advice!