nmap question

I looked at nmap just out of curiosity. I have a laptop and desktop on my lan. I have failed (as noted in other threads) in trying to get either samba or sftp to work. Looking at nmap, the laptop has no open ports. Previously, I opened (via yast) port 22 on many zones. So, that should be reported by nmap, but it isn’t. I didn’t pick every zone to open 22 and that could be the issue. This is not a thread to get samba of sftp working, just a question on nmap seeing open ports.

You must also understand that there needs to be active listening services with respect to those ports. Opening ports from a firewall perspective just allows traffic on a given port (or range of ports) through. Some further information on this…

Rather than just doing this blindly, try to familiarize yourself with the zones, and which you currently have an interface a member of. I think I have pointed you at this documentation already…

A couple of useful commands…

sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all

Thank you for the background info. I will delve into it. In the meantime, the results of the commands show that my desktop is on the public zone and the laptop does not have firewalld running.

You can also check the machines themselves to confirm sshd and smb are listening as expected…

sudo systemctl status sshd
sudo systemctl  status smb

The ss command can show useful socket information. For example, all listening TCP connections…

sudo ss -lt

…by port number…

sudo ss -ltn

One of many introductions to the ‘ss’ command…

I keep seeing people report that they have open ports in the firewall using the YaST module and I think this is causing lots of issues.

Someone, please correct me if I am wrong but, the YaST module is only applicable to the “SuSEfirewall2” and not “Firewalld” which is now the default firewall on both Leap and Tumbleweed. As such using YaST won’t do anything at all and you need to use “firewall-config” (alternatively from the KDE menu system -> firewall). The really confusing thing is that the YaST module is loaded by default it seems at least on Tumbleweed and I think Leap 5.2 and people seem to use it because it’s there.

Firewalld can be managed using firewall-config (GUI) and firewall-cmd (CLI), but YaST also provides a basic configuration tool for firewalld as well.

The really confusing thing is that the YaST module is loaded by default it seems at least on Tumbleweed and I think Leap 5.2 and people seem to use it because it’s there.

Yes, it can be used for simple firewall configuration, but firewalld’s native tools are obviously more comprehensive.

Trying to clarify the confusion,
SuSEFW2 used to be the standard firewall tool,
Today, firewalld is the standard firewall tool.
When you launch the YaST firewall module, it redirects to whatever is the current standard firewall tool.

There are of course alternatives to SuSEFW2 and firewalld, both are simply GUI tools to make complex and difficult iptables and ebtables configurations which is the most common way to block/enable network connections on Linux machines. There are command line versions of the graphical tools which are interchangeable. But, there are other firewall configuration tools which can make and manipulate iptables and ebtables in other ways which should not be used interchangeably with the tools provided with openSUSE. If you use some other tool, stick with that tool only.

TSU

Both sshd and smb are disabled inactive dead. The ss command points out more key info

ss -ltn
State    Recv-Q   Send-Q       Local Address:Port        Peer Address:Port   Process    
LISTEN   0        5                127.0.0.1:631              0.0.0.0:*                 
LISTEN   0        999              127.0.0.1:31416            0.0.0.0:*                 
LISTEN   0        100              127.0.0.1:25               0.0.0.0:*                 
LISTEN   0        5                    ::1]:631                 ::]:*                 
LISTEN   0        100                  ::1]:25                  ::]:*   

Port 22, the one I thought was open, is not.

This is because sshd is not active. It can be enabled and started immediately with

sudo systemctl --now enable sshd

I have a lot of reading to do to get an understanding of this. WOW! Is there a LOT of information from the ss commands! The first thing I have to do is get the gui for firewalld so I can visualize any changes I make. Using Yast to set up the firewall, I designated my default zone to be home. I set it to open port 22, on home, internal, external and other zones. Here is what these commands show:

 firewall-cmd --get-default-zone
public

firewall-cmd --get-active-zones
docker
  interfaces: docker0
home
  interfaces: em1

firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker,home' (see --get-active-zones)
You most likely need to use --zone=docker option.

public
  target: default
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services: dhcpv6-client
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules: 

 

So, yast is not doing what I thought it was doing. Maybe this is at the heart of my problem with samba?

Similarly, the samba server (smb.service) can be enabled and started immediately with

sudo systemctl --now enable smb

and the NetBIOS name server (nmb.service) can be enabled and started immediately if desired with

sudo systemctl --now enable nmb

Of course, you must configure smb.conf to suit your requirements. Once again, I’ll share this link to a samba guide…
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server

Your firewall configuration does not show the home configuration. You need to run

firewall-cmd --list-all --zone=home

to get the current ‘home’ zone config.

Yes, I recommend installing ‘firewall-config’ (GUI firewall manager) with

sudo zypper in firewall-config

Make sure you understand the difference between runtime and permanent configuration as well…

What do you recommend for default zone? I have a few devices, including cell phone, that I access on my lan. But I have only a pc and laptop, not a big network as in a workplace.

The default ‘public’ zone should have sufficed. Just allow the services that you need.