NOMACHINE - FIREWALL configuration

English Applications
#1

Hello.
I need help to configure the firewall to let nomachine to connect between two computers.
Installed software : Free Nomachine nomachine_7.1.3_1_x86_64.rpm
port 4000 UDP and TCP are opened.
I have not found a service called nx on the firewall.

I have configured the correct ssh port i use as it is not port 22. It should not be used as only nx protocol is used for the free version of nomachine AFAIK.

If I stop the firewall on each computer I can connect between each other.

I had no problem some time ago with nomachine 5 on leap 42.3

Any help is welcome.

#2

Hi
Drop the firewall on one machine, from the other run nmap to see what ports are open and running the nx service.

#3

Okay, here we go.

#4

On computer 1 reading computer 2

ASUS:~ # nmap -sV --version-all --allports 192.168.130.123
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 15:18 CET
Nmap scan report for MY-SERVER.xxxxxxxxx.nwk (192.168.130.123)
Host is up (0.00013s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE      VERSION
4000/tcp open  nomachine-nx NoMachine NX Server remote desktop 7.1.3
MAC Address: 78:24:AF:8C:16:88 (Asustek Computer)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.15 seconds

On computer 2 reading computer 1

user_install@MY-SERVER:~> nmap -sV --version-all --allports 192.168.130.60
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 15:15 CET
Nmap scan report for ASUS.xxxxxxxx.nwk (192.168.130.60)
Host is up (0.00011s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE      VERSION
4000/tcp open  nomachine-nx NoMachine NX Server remote desktop 7.1.3

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

Note : mac address is not shown

Now with firewall running on both computer :
On computer 1 reading computer 2

ASUS-G731GV-JC:~ # nmap -sV --version-all --allports 192.168.130.123
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 15:40 CET
Nmap scan report for MY-SERVER-LINUX.troll-hathor.nwk (192.168.130.123)
Host is up (0.00028s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   closed ssh
8200/tcp closed trivnet1
MAC Address: 78:24:AF:8C:16:88 (Asustek Computer)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds

On computer 2 reading computer 1

user_install@MY-SERVER-LINUX:~> nmap -sV --version-all --allports 192.168.130.60
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 15:33 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.15 seconds

with the suggested parameter

user_install@MY-SERVER-LINUX:~> nmap -Pn -sV --version-all --allports 192.168.130.60
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 15:33 CET
Nmap scan report for ASUS-G731GV-JC.troll-hathor.nwk (192.168.130.60)
Host is up (0.81s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   closed ssh
8200/tcp closed trivnet1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.55 seconds

Any comments are welcome.

#5

Hi
So is the nomachine connection made as well? as in computer 1 is the client, computer 2 is the host. Drop firewall on computer 2 and connect from computer 1, then run nmap from computer 1 and computer 2. AFAIK, it’s an on demand service, so needs to have a connection…

#6

Ps : Firewall are configured with the configuration set during leap install.
The only modification made is adding opening port n° 4000.
Firewall is in home state.

#7

Hi
The firewall needs to be off to test, only way to figure out port assignments on what is doing what.

#8 
computer 1 connect to 2
==========================
Firewall running on computer 1
Firewall stopped on computer 2
Connection to computer 2 ok

nmap on computer 1
------------------
ASUS:~ # nmap -sV --version-all --allports 192.168.130.123
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 16:56 CET
Nmap scan report for MY-SERVER.xxxxxxxxxxx.nwk (192.168.130.123)
Host is up (0.00012s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE      VERSION
4000/tcp open  nomachine-nx NoMachine NX Server remote desktop 7.1.3
MAC Address: 78:24:AF:xx:xx:xx (Asustek Computer)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.26 seconds

nmap on computer 2
------------------
MY-SERVER:~ # nmap -sV --version-all --allports 192.168.130.60
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 16:59 CET
Nmap scan report for ASUS.xxxxxxxxxxx.nwk (192.168.130.60)
Host is up (0.00022s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   closed ssh
8200/tcp closed trivnet1
MAC Address: 04:D4:C4:xx:xx:xx (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds


computer 2 connect to 1
==========================
Firewall running on computer 2
Firewall stopped on computer 1
Connection to computer 1 ok

nmap on computer 2
------------------
MY-SERVER:~ # nmap -sV --version-all --allports 192.168.130.60
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 17:27 CET
Nmap scan report for ASUS.xxxxxxxxxxx.nwk (192.168.130.60)
Host is up (0.00023s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE      VERSION
4000/tcp open  nomachine-nx NoMachine NX Server remote desktop 7.1.3
MAC Address: 04:D4:C4:xx:xx:xx (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds


nmap on computer 1
------------------
ASUS:~ # nmap -sV --version-all --allports 192.168.130.123
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 17:29 CET
Nmap scan report for MY-SERVER.xxxxxxxxxxx.nwk (192.168.130.123)
Host is up (0.00024s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   closed ssh
8200/tcp closed trivnet1
MAC Address: 78:24:AF:xx:xx:xx (Asustek Computer)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.85 seconds
#9

It seems that there is a problem with the firewall config
Same message on the two computers :

ASUS:~ # systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-02-05 17:48:55 CET; 1min 36s ago
     Docs: man:firewalld(1)
 Main PID: 11870 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─11870 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Feb 05 17:48:55 ASUS systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 05 17:48:55 ASUS systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 05 17:48:55 ASUS firewalld[11870]: WARNING: ip6tables not usable, disabling IPv6 firewall.
Feb 05 17:48:56 ASUS firewalld[11870]: WARNING: internal: ZONE_CONFLICT: 'eth0' already bound to a zone

Effectively eth0 is assigned to zone internal and zone home.
And zone internal is ticked as default.


Interfaces // device  -- zone  -- name
..............eth0.......home


Zone // name   --   Interface  --  default
........block
........dmz
........drop
........external
........home........eth0
........internal....eth0...........x     
........public
........work
#10

openning port 4000 on udp and tcp on the internal zone permit the connexion with the firewall running.

#11

I have remove

<interface name="eth0"/>

in the configuration file /etc/firewalld/zones/internal.xml
No more error.
Is it Ok ?

#12

Thank you for your help.