Question about understanding services in pre-defined zones in firewalld.

Budgie2 · August 21, 2021, 6:32pm

I understand that the predefined zones are set up xml files so for example I have:-

alastair@localhost:~> sudo cat /usr/lib/firewalld/zones/internal.xml 
<?xml version="1.0" encoding="utf-8"?> 
<zone> 
  <short>Internal</short> 
  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your co
mputer. Only selected incoming connections are accepted.</description> 
  <service name="ssh"/> 
  <service name="mdns"/> 
  <service name="samba-client"/> 
  <service name="dhcpv6-client"/> 
  <forward/> 
</zone> 
alastair@localhost:~>

So I have set up my connection using the preset “internal” and my connection looks like this:-

alastair@localhost:~> firewall-cmd --get-zone-of-interface=wlp3s0            
internal 
alastair@localhost:~>

Looks OK to me but when I check out the services I get:-

alastair@localhost:~> sudo firewall-cmd --list-all --zone=internal   
[sudo] password for root:  
internal (active) 
  target: default 
  icmp-block-inversion: no 
  interfaces: wlp3s0 
  sources:  
  services:  
  ports: 1900/udp 9790/tcp 9791/tcp 
  protocols:  
  forward: no 
  masquerade: no 
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  
alastair@localhost:~>

The odd ports are left over from previous tests but where have all the preset services gone?

hcvv · August 21, 2021, 6:37pm

I slightly edited the title, so people get an idea about waht the subject is.

Budgie2 · August 21, 2021, 7:36pm

Hi Henk, many thanks for clarifying. Having real problems here. I feel I have wasted too much time with YaST2 and should just stay with cli.
Regards,

hcvv · August 21, 2021, 7:40pm

The more reason to use some effort in formulating your thread title and your thread contents. That really influences the quality of the help you might get.

Ray · August 22, 2021, 7:26pm

Well the help I can offer isn’t exactly first-rate, but hopefully it’ll be enough to push you over the line. If I remember correctly, firewalld stores configuration data in two (possibly more?) separate locations, and uses some mechanism I can’t quite remember to try to keep it all synchronised. after readinging a little bit about managing firewalld’s configuration files under openSuse, I knew enough to know that I probably shouldn’t bother trying., so I decided to learn a little bit about using Firewalld’s cli, so that I didn’t have to worry about using YaST or the permanent configuration files.

I made a simple little script for defining firewall services so that I could just give service definitions to firewalld, so that it can put the definitions wherever they belong. Unfortunately, I can only find a very primitive version of it which has all of the information hard-coded into the script, but it should still be better than nothing. Just replace the ???'s with whatever yo need and run the script, and firewalld will put the configuration files wherever it’s supposed to go. Here’s the version I found. It’d only a few lines long as it is.

#!/bin/bash
firewall-cmd --permanent --new-service="???"
firewall-cmd --permanent --service="???" --set-description="???"
firewall-cmd --permanent --service="???" --set-short="???"
firewall-cmd --permanent --service="???" --add-port="???/tcp"
firewall-cmd --permanent --service="???" --add-port="???/udp"
firewall-cmd --permanent --zone="public" --add-service="???"
firewall-cmd --reload
exit 0

Just add as many (or as few) lines of --add-port= for the port number and protocol as you need. for example


firewall-cmd --permanent --service="???" --add-port="1776/udp"

Budgie2 · August 23, 2021, 11:15pm

Hi Ray,
Many thanks. I think I am there now but on the way had some difficulties.

I had the understanding that the YaST2 choices were preconfigured but editable. From the descriptions however it is quite difficult to discriminate between for example home, internal and work and even more difficult when any presets have evaporated. Not the clearest documentation in my view.
Thanks for the suggestions which were helpful.
Budge

Ray · August 24, 2021, 10:11pm

For years now, I’ve had the impression that after integrating new software and/or features and then ensuring their reliability, there just isn’t enough time left over to expose any configuration changes to users through YaST. I haven’t had a look at firewall service management through YaST, but it could be the case that some change has been made to firewalld which YaST has not yet been updated to take account of.