Running Fedora36 workstation, I have the firewall config pretty much as I want in terms of zones/ports etc. One thing though, which I can't findwhether it's intentional or not ...
The firewall acts as though it defaults to blocking everything unless I'm logged in (on the desktop, or via SSH) but that means I can't first logon via SSH until after I've logged onto the desktop, then I can't logout from the desktop, otherwise then I can't get logged back via SSH.
If it should be like that, I'm quite surprised I can't see an option to make the rules apply regardless of whether i'm logged in?
Thanks for any answers ...
On Mon, Oct 24, 2022 at 06:54:43PM -0000, Andy Burns wrote:
Running Fedora36 workstation, I have the firewall config pretty much as I want in terms of zones/ports etc. One thing though, which I can't findwhether it's intentional or not ...
The firewall acts as though it defaults to blocking everything unless I'm logged in (on the desktop, or via SSH) but that means I can't first logon via SSH until after I've logged onto the desktop, then I can't logout from the desktop, otherwise then I can't get logged back via SSH.
If it should be like that, I'm quite surprised I can't see an option to make the rules apply regardless of whether i'm logged in?
Your distribution should start firewalld via init (systemd). This will make sure it's enabled:
# systemctl enable firewalld
Firewalld's default configuration _allows_ SSH.
When I power on the machine, I can't even ping it, let alone acess ssh/samba/tvheadend/cockpit
That makes it difficult to tell at that point if firewalld is running, or not, but I assume it is, and is blocking everything.
As soon as I login to gnome on the console, then I can start a terminal window and run firewall-cmd --state which says "running",
Also running "systemctl status firewalld" says firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-10-24 20:27:49 BST; 22min ago
but was it running before I logged in? that "22 min ago" can probably tell me, if I power on but then wait 10 minutes befoe logging in if I then logon using puTTY, and logout on the console, it's still running but as soon as I logout the ssh session, it stops replying to pings, I can't log back in by ssh, so it feels like "something" is telling firewalld that the user is completely logged out now, block all traffic, the only way I can get back in by SSH, is yto get back in via the gnome console first ... very frustrating.
having logged back in again, I can see firewalld.service has been running for 27 minues, so it isn't being stopped and started as I login and out, it's only started when the machine boots.
--On Monday, October 24, 2022 8:56 PM +0000 Andy Burns fedora@adslpipe.co.uk wrote:
As soon as I login to gnome on the console
Try a shell login as root. Switch to one of the text virtual consoles and log in with that to read the firewalld state. Take a look at the XML files in /etc/firewalld to see if they match what you're seeing with the firewall-cmd commands.
Could your user login be changing the firewalld configuration with some user login script? Check /etc/profile as well as your dot files in your home directory. Especially check anything Gnome does at login/logout. For example, it could be changing to another zone that's locked down when nobody is logged in.
logging in as root on a text console doesn't enable ping/ssh etc, so that's a good thing (in so far as I can get on the machine while the problem is present)
firewall is running, default zone is still FedoraWorkstation
the ethernet interface is up, but without anu IPv address doing an "ifup" on it starts it ok (some sort of warning from NetworkManager about using old scripts) and then stuff works
having started it that way, the network does not go down once I've logged out everywher, it stays up untill the machine is shutdown,
looking at the gnome settings gui for netwoking, the wired ethernet is set for "connect automatically"
but "make available for others" wasn't ticked, which seems to be the magic setting I needed ...
this seems to corespond to "all users may connect to this network" within nm-connection-editor
problem solved, but would that setting default to "on" rather than "off" with Server edition?
On 24.10.2022 22:56, Andy Burns wrote:
When I power on the machine, I can't even ping it, let alone acess ssh/samba/tvheadend/cockpit
That makes it difficult to tell at that point if firewalld is running, or not, but I assume it is, and is blocking everything.
As soon as I login to gnome on the console,
It sounds like you have NetworkManager with user connection which starts when you log in.
Thanks, that was more or less it ... not a firewalld issue, but a NetworkManager issue.
[andy@localhost ~]$ sudo firewall-cmd --state [sudo] password for andy: running
[andy@localhost ~]$ firewall-cmd --query-panic no
[andy@localhost ~]$ firewall-cmd --query-lockdown no
[andy@localhost ~]$ firewall-cmd --get-default-zone FedoraWorkstation
[andy@localhost ~]$ firewall-cmd --get-active-zones FedoraWorkstation interfaces: enp0s25 libvirt interfaces: virbr0
[andy@localhost ~]$ firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: enp0s25 sources: services: cockpit dhcpv6-client http https mdns motion samba samba-client ssh tvheadend ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[andy@localhost ~]$ systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-10-24 20:27:49 BST; 41min ago Docs: man:firewalld(1) Main PID: 1100 (firewalld) Tasks: 2 (limit: 38373) Memory: 42.9M CPU: 1.857s CGroup: /system.slice/firewalld.service └─ 1100 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
Oct 24 20:27:48 localhost.localdomain systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon... Oct 24 20:27:49 localhost.localdomain systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.
firewalld-users@lists.fedorahosted.org