Yast firewall doesn't respect interface selected

English Network/Internet
#1

Hi,
like in the title. Default interface is public. I changed my wifi (wlan0) to home interface. I want to use gsconnect and I need to open ports for it to see my device. The thing is if I added kdeconnect in the home interface it should start working. But instead nothing happens. Only when I add kdeconnect to public interface it starts seeing my devices. When on home interface (selected for wlan0) there is not added kdeconnect, but added for public, it sees my devices.

Am I missing something? It should be that when assigned specific interface to device and changing settings in that interface, the changes should be reflected on the device. It seems like no matter to which interface I assign settings, it only works for public.
If it’s a bug I’ll submit report but I need to be sure it’s not intended behavior.

#2

You confuse “device”, “interface” and “zone” which makes it near to impossible to understand what you mean.

The thing is if I added kdeconnect in the home interface it should start working.

We can guess that “kdeconnect” refers to firewalld service, but this is just a guess.

But instead nothing happens. Only when I add kdeconnect to public interface it starts seeing my devices.

We have no information about your configuration. Which interfaces there are? Which zones are associated with these interfaces? Copy and paste full protocol of executing

firewall-cmd --list-all-zones

If it is too long, upload to https://susepaste.org/

#3

Yeah sorry, I’m green in this field so I grouped these things by accident. I’ll try to clear this up. My device is wlan0, which I created during installation process to connect to my wifi. I use tumbleweed newest snapshot with GNOME.
My default zone is public. I changed zone for wlan0 to home using yast firewall. While creating firewall-cmd log I saw that there is another device: wlo1 that is on public zone. It doesn’t show up in yast firewall. Maybe it’s used as device for wifi?
Here’s log: https://susepaste.org/49208407

#4

Show output of “ip l” and “ip a”. Also, are you using wicked or NetworkManager?

#5

Now it all makes sense. Thanks for helping!

I didn’t change anything after installing gnome so it defaulted to NetworkManager. NetworkManager created their own device: wlo1 to manage my wifi card.
When entering yast network settings module, it showed me that Yast don’t have access to some config options. But behind this message I can see:


Name                                                     │IP Address    │Device│Note
RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller│Not configured│eno1  │    
Wi-Fi 6 AX200                                            │Not configured│wlo1  │    
wlan0                                                    │DHCP          │wlan0 │

So now I know why it wouldn’t work.


ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 6c:02:e0:73:d6:52 brd ff:ff:ff:ff:ff:ff
    altname enp2s0
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 84:1b:77:59:17:3f brd ff:ff:ff:ff:ff:ff
    altname wlp3s0



ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 6c:02:e0:73:d6:52 brd ff:ff:ff:ff:ff:ff
    altname enp2s0
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 84:1b:77:59:17:3f brd ff:ff:ff:ff:ff:ff
    altname wlp3s0
    inet 192.168.1.91/24 brd 192.168.1.255 scope global dynamic noprefixroute wlo1
       valid_lft 84579sec preferred_lft 84579sec
    inet6 fe80::e2a9:18be:5b2e:fffa/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
#6

I think you are still confused. When YaST shows you that NetworkManager is used, then there is not much to do for YaST anymore. And thus most of the configuring there is blocked/greyed out.

#7

YaST Firewall module seems to ignore devices that are under NetworkManager control. Assuming you are using NetworkManager, you can define firewalld zone as connection property. This option is not exposed by GNOME standard GUI client, but can be added using nmcli, nmtui, nm-connection-editor or editing connection definition file directly.

It is unclear what you did. I would expect installer to generate NetworkManager connection profile based on settings during installation, at least if you selected NetworkManager as default. Show output of “nmcli device” and “nmcli connection”.

#8

Firewall settings do not depend on whether wicked or NM is used. Do you imply that with NetworkManager one should not use YaST at all? For any task?

#9

As he mentioned " … entering yast network settings module …", I was commenting on YaST > Network > Network Settings. Not on any firewall tool.

#10

When installing opensuse tumbleweed I only changed hostname. The rest remained the default. When checking if I could change to wicked I stumbled upon this thread.
There I found info that wicked was deprecated for new opensuse tumbleweed installations and it will use NetworkManager by default. This alligns perfectly with my situation as NetworkManager is installed by default and wicked is not found on the system.

Here’s requested logs:


DEVICE        TYPE      STATE         CONNECTION 
wlo1          wifi      connected     ASUS       
p2p-dev-wlo1  wifi-p2p  disconnected  --         
eno1          ethernet  unavailable   --         
lo            loopback  unmanaged     --         



NAME                     UUID                                  TYPE      DEVICE 
ASUS                     02f549c2-4665-4736-9224-cde0ce8a9a8c  wifi      wlo1   
Po??czenie przewodowe 1  2b102c32-6675-379e-ae93-b03a4aeb130c  ethernet  --     
wlan0                    e9d63b0a-d900-3eb7-93ef-3f621fbbd4cc  wifi      --

Like everyone here said, changing zone for the device wlan0 didn’t do anything because that device isn’t used for connection. wlo1 is used that is managed by NetworkManager and because of that it didn’t showed up in Yast firewall.

So now I have three options:

  • change backend to wicked and it will work as I thought it would
  • use other cli tool for networkmanager configuration to change wlo1 to zone I want
  • change default zone to home and it will work, because wlo1 uses default zone

Or I could just leave it as it is right now, where ports for kdeconnect are open on public zone. It also seems to be the way recommended by wiki.

We can guess that “kdeconnect” refers to firewalld service, but this is just a guess.

Forgot to answer that. It’s app that let’s you connect phone with computer and have tight integration between them. But in order for it to work it needs to have open ports in firewall as it works over wifi. Yast firewall has it listed as one of the options to quickly add.

#11

No, that was wrong. YaST firewall module shows only those interfaces that are known to wicked (i.e. have corresponding /etc/sysconfig/network/ifcfg-XXX file).

Now given that a) NetworkManager is default on new installation and b) wicked is deprecated this certainly can be considered a bug in YaST. And not the new one …

https://bugzilla.opensuse.org/show_bug.cgi?id=899330

When you are asked to post command output, always paste the full command invocation and subsequent prompt. Only this way can we be sure what command produced this output and that this output is complete.

Anyway - you have connection wlan0 which matches your “missing” interface name. Installer creates both wicked interface configuration and NetworkManger connection profile with the same settings as have been used during installation. As far as I can tell, for NetworkManager installer also restricts this connection profile to the specific interface name, which explains why “wlan0” connection did not work (because this interface name does not exist). Could you show

cat /etc/sysconfig/network/ifcfg-wlan0
nmcli connection show wlan0

So the only open question here is - why interface name in installer was different. I briefly tested it with current TW 20220603 using wired interface in QEMU, but I cannot reproduce it - resulting connection profile matches interface name.

So now I have three options:

You can also use native firewalld tools including firewall-config GUI. Nothing forces you to use YaST. Actually YaST firewalld module is relatively new, and initially it simply launched firewall-config directly.

It also seems to be the way recommended by wiki.

This “recommendation” was written by someone who was just as confused about firewalld as you are. Of course anyone is free to use any zone for any purpose, but established meaning of “public” zone is untrusted environment like public hotspot, so only absolutely necessary ports are opened. Personally I do not think kdeconnect falls into this category.

As NetworkManager sets firewalld zone per connection profile (not per interface) this allows you to define your home AP as trusted (e.g. “home” zone) and leave any other AP as default (normally “public”). Which is far better than statically adding specific wireless interface to a zone.

#12 

cat /etc/sysconfig/network/ifcfg-wlan0

BOOTPROTO='dhcp'
STARTMODE='hotplug'
WIRELESS_ESSID='ASUS'
WIRELESS_AUTH_MODE='psk'
WIRELESS_MODE='managed'
WIRELESS_WPA_PSK='[hidden]'
WIRELESS_AP_SCANMODE='1'
WIRELESS_NWID=''
ZONE=home

nmcli connection show wlan0:
https://susepaste.org/38622192

So the only open question here is - why interface name in installer was different.

It’s strange as every other linux distribution with NetworkManager I tried always set up my wifi device as wlan0. Only here NetworkManager set it as wlo1. Maybe it didn’t use it as it seen wlan0 as taken by something else.
But that’s most likely not true as in your tests it was read and used without any problem.

#13

As expected:

connection.interface-name:              wlan0