<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 25 February 2016 at 11:48, Timothy Murphy <span dir="ltr"><<a href="mailto:gayleard@eircom.net" target="_blank">gayleard@eircom.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">Richard Shaw wrote:<br>
<br>
> On Tue, Feb 23, 2016 at 7:31 AM, Timothy Murphy <<a href="mailto:gayleard@eircom.net">gayleard@eircom.net</a>><br>
> wrote:<br>
><br>
>> I see that I have to open ports 1714-1764, TCP and UDP.<br>
>> I'm running firewalld on the laptop.<br>
>> I give the command "firewall-config" and authenticate.<br>
>> Clicking on zone "internal" I see that kde-connect is ticked.<br>
>> And when I go to Ports I see that ports 1714-1764 are listed, TCP and<br>
>> UDP. And all this remains set if I reboot.<br>
<br>
<br>
> Let's try the simple stuff first... Is your default zone for your network<br>
> connection also "internal"?<br>
<br>
</span>Thank you very much.<br>
That was indeed the issue.<br>
After changing the default zone to "internal" everything works fine.<br>
<br></blockquote><div><br></div><div>I'm still curious about this ... if you look at the underlying iptables rules with iptables -vnL you'll see traffic on localhost is ALLOW before any zone stuff is checked:</div><div><br></div><div><div>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 ACCEPT udp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:53</div><div> 0 0 ACCEPT tcp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:53</div><div> 0 0 ACCEPT udp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:67</div><div> 0 0 ACCEPT tcp -- virbr0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:67</div><div> 134K 104M ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED</div><div> 5 300 ACCEPT all -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 679 201K INPUT_direct all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 679 201K INPUT_ZONES_SOURCE all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 679 201K INPUT_ZONES all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 1 40 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate INVALID</div><div> 498 158K REJECT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited</div></div><div><br></div><div>In fact if you firewall-cmd --list-interfaces you'll see that lo is not bound to any zone (which is sensible given the policy above... otherwise it'd be misleading as zone would never be jumped to for it).</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
But I don't understand the reasoning behind this.<br>
This use of the term "zone" seems to me misleading and bizarre.<br>
I run shorewall on my home server, and there the "zone"<br>
can be "net", "local", etc.<br>
Any changes made to a particular zone come into effect<br>
on restarting shorewall.<br>
It would not make sense in this context to choose a "default zone".<br>
<br></blockquote><div><br></div><div>I've always hated the term "zone" in firewalld - it's very misleading given how it's used elsewhere and the default zones that you can't remove make it worse.</div><div><br></div><div>I did go into detail on it here though that may help: <a href="https://www.hogarthuk.com/?q=node/9">https://www.hogarthuk.com/?q=node/9</a></div><div><br></div><div>The short of it is the zone name is a label and most of the zones are not in use and will rarely if ever be in use in most installs.</div><div><br></div><div>You can apply rules to that label (and they will not be persistent unless --permanent is used, in which case runtime won't be affected, or the runtime is persisted with --runtime-to-permanent) and that label can be bound to an interface or to a source network address.</div><div><br></div><div>In addition NetworkManager can be configured to apply a zone to a connection profile so you could have work always use the 'work' and $cafe use 'public' based on their different connection profiles (based on SSID).</div><div><br></div><div>The 'default' zone is just the rules used if no other zones have configurations that match that interface or source network.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Incidentally, restarting firewalld does not seem to me to work properly,<br>
as a window comes up asking for authentication.<br>
I don't recall any other service requiring this,<br>
and it would seem to prevent remote restarting.<br>
<div class=""><div class="h5"><br>
<br>
<br></div></div></blockquote><div><br></div><div></div></div>This is the polkit configuration for it. Again I go into detail on the blog article but the default configuration is that if not root it requests admin credentials to reload (or even view some stuff).</div><div class="gmail_extra"><br></div><div class="gmail_extra">Keep in mind the polkit policy for firewall-cmd --reload behaviour is distinct and separate from a systemd polkit policy limiting systemctl <action> <unit> to admin users.</div><div class="gmail_extra"><br></div><div class="gmail_extra">In terms of remote restarting polkit will only use a GUI prompt if a display is detected, otherwise it'll have a text based authentication interaction.. and again this is only if not root.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div>