Opening ports in the new YaST2 Firewall

It appears that in recent months or years, the YaST → Security and Users → Firewall menu has seen a remake. The new layout confuses me in how I can open ports for the firewall. Previously I clicked on Allowed Services, Advanced, and was able to add a TCP port there… now however there seems to be a new design based on zones.

The issue is that I don’t know which zone I should open a port in: My device appears in a zone called “default”, but that’s not an actual zone available in the drop-down list, thus it doesn’t tell me when a rule actually gets used or not. Also how do I separate those ports in the field (with spaces, commas, etc)? Thanks for the clarification.

Not a remake, but more a move to using firewalld as default (there are alternatives available).

The new layout confuses me in how I can open ports for the firewall. Previously I clicked on Allowed Services, Advanced, and was able to add a TCP port there… now however there seems to be a new design based on zones.

Yes, firewalld provides broad categories called zones (each configured to provide a level of trust). For most of us using one (or two) interfaces, it makes sense to stay with the defaults, each configured to allow specific services. The zones can be configured as you see fit.

The issue is that I don’t know which zone I should open a port in: My device appears in a zone called “default”, but that’s not an actual zone available in the drop-down list, thus it doesn’t tell me when a rule actually gets used or not.

The connected network interface is likely in the public zone. You can confirm that with

firewall-cmd --get-default-zone

If using multiplle interfaces and zones you can also do

firewall-cmd --get-active-zones

More comprehensive information can be got using

firewall-config --list-all

Also how do I separate those ports in the field (with spaces, commas, etc)? Thanks for the clarification.

Many of the common services can be enabled (permitted) in the GUI (firewall-config) by checking the appropriate service in the list of services. For adding ports numerically, just add one at a time, or a range eg ‘3000-4000’

The CLI command to allow port 5000 TCP would be

sudo firewall-cmd --zone=public --add-port=5000/tcp

Hope that helps.

More info

1 Like

One more thing to be aware of - The running firewall can be examined and configured on the fly, but you must remember to apply it to the permanent configuration so that the changes are not lost…

sudo firewall-cmd --runtime-to-permanent

Alternatively, make your changes in the ‘permanent’ mode and they’ll be applied the next time firewalld is started.

https://firewalld.org/documentation/configuration/runtime-versus-permanent.html

Hmmm. From the looks of it, I might not need to open up numerical ports any more, just the services. I see sshd is already somewhere on that list by default, ssh is one reason why I needed to open a port.

I also wish to add x11vnc however. But it doesn’t seem to be in the services list from which I could add it. I imagine the only option there is to add the port manually? Or can I still whitelist the process?

Yes, all the commonly used services are already defined for you to select. :wink:

I also wish to add x11vnc however. But it doesn’t seem to be in the services list from which I could add it. I imagine the only option there is to add the port manually? Or can I still whitelist the process?

Choose the ‘vnc-server’ service.

Oh… will it apply to any other VNC service? I use x11vnc specifically so I was expecting to see that name there. Will test how this works tomorrow, thanks.

I wonder what my options are if I ever need to whitelist a custom process however. For instance I used to run an OpenSim (Second Life) server several years ago, which required special ports to be opened… in cases like those is it possible to define custom entries?

Well, that’s just one implementation using VNC, and typically using port 5900+N. Firewalld caters for a few additional ports - the VNC protocol normally uses port 59xx, where xx is the display number of the server. You could choose to just allow port 5900 I guess if only one active X-server display.

Oh… I customize my VNC port though. Sounds like I’ll need to add the numbers directly.

I’m not familiar with OpenSim, but in general terms, if it requires particular port ranges then yes it can be configured as necessary. Linux firewalls are usually designed around firewall rules to allow or deny particular traffic by packet filtering, not controlling processes/applications as such.

Yes, that’s the easiest option, although it is possible to add a custom service if you prefer…

As you can see firewalld is very flexible.

My device appears in a zone called “default”, but that’s not an actual zone available in the drop-down list, thus it doesn’t tell me when a rule actually gets used or not.

There is a View option “Active Bindings” which will add a column shown the zone be used for each connection. In my case they both shown “Default Zone: home”. There is a status bar at the bottom that also displays that information.

The Options menu will allow you to change the zone assigned to default and the zones assigned to a connection. You can also do the “Runtime to Permanent” setting here. If you are sure of the setting you are making and don’t need to test it, you can use the Configuration pulldown to select Permanent instead of Runtime.

Oh… I customize my VNC port though. Sounds like I’ll need to add the numbers directly.

If you are using custom service settings, you can select the tab “Services”, the select a service, vnc-server for example, and then change the Ports setting there rather than add in your custom settings.

They have done a really good job in the setup of this dialog for those of us that don’t change settings offten enough to remember the command line options without Google :slight_smile:

Problem solved, thanks for the responses. I added both the SSH and VNC services to the allowed list of my zone, but also opened up the ports to be safe it will work. I can now use both just fine between my home computers with the firewall turned on.

Good result. :slight_smile: