1:54 p.m.
Running Fedora36 workstation, I have the firewall config pretty much as I want in terms of
zones/ports etc.
One thing though, which I can't findwhether it's intentional or not ...
The firewall acts as though it defaults to blocking everything unless I'm logged in
(on the desktop, or via SSH) but that means I can't first logon via SSH until after
I've logged onto the desktop, then I can't logout from the desktop, otherwise
then I can't get logged back via SSH.
If it should be like that, I'm quite surprised I can't see an option to make the
rules apply regardless of whether i'm logged in?
Thanks for any answers ...
2:09 p.m.
On Mon, Oct 24, 2022 at 06:54:43PM -0000, Andy Burns wrote:
Running Fedora36 workstation, I have the firewall config pretty much
as I want in terms of zones/ports etc.
One thing though, which I can't findwhether it's intentional or not ...
The firewall acts as though it defaults to blocking everything unless
I'm logged in (on the desktop, or via SSH) but that means I can't
first logon via SSH until after I've logged onto the desktop, then I
can't logout from the desktop, otherwise then I can't get logged back
via SSH.
If it should be like that, I'm quite surprised I can't see an option
to make the rules apply regardless of whether i'm logged in?
Your distribution should start firewalld via init (systemd).
This will make sure it's enabled:
# systemctl enable firewalld
Firewalld's default configuration _allows_ SSH.
2:56 p.m.
When I power on the machine, I can't even ping it, let alone acess
ssh/samba/tvheadend/cockpit
That makes it difficult to tell at that point if firewalld is running, or not, but I
assume it is, and is blocking everything.
As soon as I login to gnome on the console, then I can start a terminal window and run
firewall-cmd --state
which says "running",
Also running "systemctl status firewalld" says
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset:
enabled)
Active: active (running) since Mon 2022-10-24 20:27:49 BST; 22min ago
but was it running before I logged in? that "22 min ago" can probably tell me,
if I power on but then wait 10 minutes befoe logging in
if I then logon using puTTY, and logout on the console, it's still running
but as soon as I logout the ssh session, it stops replying to pings, I can't log back
in by ssh, so it feels like "something" is telling firewalld that the user is
completely logged out now, block all traffic, the only way I can get back in by SSH, is
yto get back in via the gnome console first ... very frustrating.
having logged back in again, I can see firewalld.service has been running for 27 minues,
so it isn't being stopped and started as I login and out, it's only started when
the machine boots.
5:43 p.m.
--On Monday, October 24, 2022 8:56 PM +0000 Andy Burns
<fedora(a)adslpipe.co.uk> wrote:
As soon as I login to gnome on the console
Try a shell login as root. Switch to one of the text virtual consoles and
log in with that to read the firewalld state. Take a look at the XML files
in /etc/firewalld to see if they match what you're seeing with the
firewall-cmd commands.
Could your user login be changing the firewalld configuration with some
user login script? Check /etc/profile as well as your dot files in your
home directory. Especially check anything Gnome does at login/logout. For
example, it could be changing to another zone that's locked down when
nobody is logged in.
1:42 a.m.
logging in as root on a text console doesn't enable ping/ssh etc, so that's a good
thing (in so far as I can get on the machine while the problem is present)
firewall is running, default zone is still FedoraWorkstation
the ethernet interface is up, but without anu IPv address
doing an "ifup" on it starts it ok (some sort of warning from NetworkManager
about using old scripts) and then stuff works
having started it that way, the network does not go down once I've logged out
everywher, it stays up untill the machine is shutdown,
looking at the gnome settings gui for netwoking, the wired ethernet is set for
"connect automatically"
but "make available for others" wasn't ticked, which seems to be the magic
setting I needed ...
this seems to corespond to "all users may connect to this network" within
nm-connection-editor
problem solved, but would that setting default to "on" rather than
"off" with Server edition?
11:02 p.m.
On 24.10.2022 22:56, Andy Burns wrote:
When I power on the machine, I can't even ping it, let alone
acess ssh/samba/tvheadend/cockpit
That makes it difficult to tell at that point if firewalld is running, or not, but I
assume it is, and is blocking everything.
As soon as I login to gnome on the console,
It sounds like you have NetworkManager with user connection which starts
when you log in.
1:43 a.m.
Thanks, that was more or less it ... not a firewalld issue, but a NetworkManager issue.
3:10 p.m.
[andy@localhost ~]$ sudo firewall-cmd --state
[sudo] password for andy:
running
[andy@localhost ~]$ firewall-cmd --query-panic
no
[andy@localhost ~]$ firewall-cmd --query-lockdown
no
[andy@localhost ~]$ firewall-cmd --get-default-zone
FedoraWorkstation
[andy@localhost ~]$ firewall-cmd --get-active-zones
FedoraWorkstation
interfaces: enp0s25
libvirt
interfaces: virbr0
[andy@localhost ~]$ firewall-cmd --info-zone=FedoraWorkstation
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: cockpit dhcpv6-client http https mdns motion samba samba-client ssh tvheadend
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[andy@localhost ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset:
enabled)
Active: active (running) since Mon 2022-10-24 20:27:49 BST; 41min ago
Docs: man:firewalld(1)
Main PID: 1100 (firewalld)
Tasks: 2 (limit: 38373)
Memory: 42.9M
CPU: 1.857s
CGroup: /system.slice/firewalld.service
└─ 1100 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
Oct 24 20:27:48 localhost.localdomain systemd[1]: Starting firewalld.service - firewalld -
dynamic firewall daemon...
Oct 24 20:27:49 localhost.localdomain systemd[1]: Started firewalld.service - firewalld -
dynamic firewall daemon.
551
days inactive
552
days old
firewalld-users@lists.fedorahosted.org
7 comments
4 participants
participants (4)
-
Andrei Borzenkov -
Andy Burns -
Eric Garver -
Kenneth Porter