Hello, I am new to using firewalld. I have been through the documentation at https://fedoraproject.org/wiki/FirewallD, but am having some trouble with configuration. It would seem that, regardless of zone or services enabled, I cannot ssh into the machine that has firewalld running without adding the client's subnet to the trusted zone. In addition, adding "UseDNS no" to the end of /etc/ssh/sshd_config seems to ignore firewall configuration.
I have been using firewall-cmd in order to set firewall options, if it makes a difference.
It seems that there is no HOWTO for getting started with firewalld, and there doesn't seem to be any one resource that's helpful for troubleshooting problems such as this.
Thank You, David Fryer
Hello,
On Wed, Jun 3, 2015, at 10:41 AM, Fryer, David wrote:
Hello, I am new to using firewalld. I have been through the documentation at https://fedoraproject.org/wiki/FirewallD, but am having some trouble with configuration. It would seem that, regardless of zone or services enabled, I cannot ssh into the machine that has firewalld running without adding the client's subnet to the trusted zone. In addition, adding "UseDNS no" to the end of /etc/ssh/sshd_config seems to ignore firewall configuration.
I have been using firewall-cmd in order to set firewall options, if it makes a difference.
It seems that there is no HOWTO for getting started with firewalld, and there doesn't seem to be any one resource that's helpful for troubleshooting problems such as this.
Thank You, David Fryer _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Are you running SSH on the standard port of 22? Are you using SELinux in Enforcing mode? If you are running SSH on a non-standard port, and have SELinux enabled, you would also need to do something like:
/usr/sbin/semanage port -a -t ssh_port_t -p tcp 1234
Where 1234 is the new port that you are using. This would set things up so that SELinux would be managing that port for SSH connections.
If that's not the issue, kindly post the output of your ssh connection attempt using the -v or -vv flags so that we can see where the connection is getting stuck. Thanks,
Jim
SSH is running on the standard port of 22, and selinux is enforcing. I don't think selinux is the problem, as adding "UseDNS no" to the end of sshd_config seems to bypass the issue entirely. The output of ssh -vv is here: http://pastebin.com/tHMde40L
--David Fryer
P.S. Is there a standard/accepted way of sharing logs with this mailing list? ________________________________________ From: firewalld-users-bounces@lists.fedorahosted.org [firewalld-users-bounces@lists.fedorahosted.org] on behalf of Jim Campbell [jcampbell@gnome.org] Sent: Wednesday, June 03, 2015 4:06 PM To: firewalld-users@lists.fedorahosted.org Subject: Re: New to firewalld, Questions about getting started.
Hello,
On Wed, Jun 3, 2015, at 10:41 AM, Fryer, David wrote:
Hello, I am new to using firewalld. I have been through the documentation at https://fedoraproject.org/wiki/FirewallD, but am having some trouble with configuration. It would seem that, regardless of zone or services enabled, I cannot ssh into the machine that has firewalld running without adding the client's subnet to the trusted zone. In addition, adding "UseDNS no" to the end of /etc/ssh/sshd_config seems to ignore firewall configuration.
I have been using firewall-cmd in order to set firewall options, if it makes a difference.
It seems that there is no HOWTO for getting started with firewalld, and there doesn't seem to be any one resource that's helpful for troubleshooting problems such as this.
Thank You, David Fryer _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Are you running SSH on the standard port of 22? Are you using SELinux in Enforcing mode? If you are running SSH on a non-standard port, and have SELinux enabled, you would also need to do something like:
/usr/sbin/semanage port -a -t ssh_port_t -p tcp 1234
Where 1234 is the new port that you are using. This would set things up so that SELinux would be managing that port for SSH connections.
If that's not the issue, kindly post the output of your ssh connection attempt using the -v or -vv flags so that we can see where the connection is getting stuck. Thanks,
Jim _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 06/04/2015 07:15 AM, Fryer, David wrote:
SSH is running on the standard port of 22, and selinux is enforcing. I don't think selinux is the problem, as adding "UseDNS no" to the end of sshd_config seems to bypass the issue entirely. The output of ssh -vv is here: http://pastebin.com/tHMde40L
--David Fryer
P.S. Is there a standard/accepted way of sharing logs with this mailing list?
Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal.
Now, with that said, we need to see the sshd logs from the target system. In /etc/ssh/sshd.conf, set the LogLevel line to 'debugging', restart sshd.service, and try to connect again. Then give us the output of 'journalctl -b -u sshd'.
Dan
On Thu, Jun 04, 2015 at 09:59:20AM -0500, Dan Mossor wrote:
SSH is running on the standard port of 22, and selinux is enforcing. I don't think selinux is the problem, as adding "UseDNS no" to the end of sshd_config seems to bypass the issue entirely. The output of ssh -vv is here: http://pastebin.com/tHMde40L P.S. Is there a standard/accepted way of sharing logs with this mailing list?
Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal.
Also note the convenient "fpaste" command -- you can just do
journalctl -b -u sshd | fpaste
Here are the sshd logs: http://fpaste.org/228902/43343143/ ________________________________________ From: firewalld-users-bounces@lists.fedorahosted.org [firewalld-users-bounces@lists.fedorahosted.org] on behalf of Dan Mossor [danofsatx@gmail.com] Sent: Thursday, June 04, 2015 10:59 AM To: firewalld-users@lists.fedorahosted.org Subject: Re: New to firewalld, Questions about getting started.
On 06/04/2015 07:15 AM, Fryer, David wrote:
SSH is running on the standard port of 22, and selinux is enforcing. I don't think selinux is the problem, as adding "UseDNS no" to the end of sshd_config seems to bypass the issue entirely. The output of ssh -vv is here: http://pastebin.com/tHMde40L
--David Fryer
P.S. Is there a standard/accepted way of sharing logs with this mailing list?
Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal.
Now, with that said, we need to see the sshd logs from the target system. In /etc/ssh/sshd.conf, set the LogLevel line to 'debugging', restart sshd.service, and try to connect again. Then give us the output of 'journalctl -b -u sshd'.
Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 06/04/2015 10:22 AM, Fryer, David wrote:
Here are the sshd logs: http://fpaste.org/228902/43343143/ ________________________________________ From: firewalld-users-bounces@lists.fedorahosted.org [firewalld-users-bounces@lists.fedorahosted.org] on behalf of Dan Mossor [danofsatx@gmail.com] Sent: Thursday, June 04, 2015 10:59 AM To: firewalld-users@lists.fedorahosted.org Subject: Re: New to firewalld, Questions about getting started.
On 06/04/2015 07:15 AM, Fryer, David wrote:
SSH is running on the standard port of 22, and selinux is enforcing. I don't think selinux is the problem, as adding "UseDNS no" to the end of sshd_config seems to bypass the issue entirely. The output of ssh -vv is here: http://pastebin.com/tHMde40L
--David Fryer
P.S. Is there a standard/accepted way of sharing logs with this mailing list?
Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal.
Now, with that said, we need to see the sshd logs from the target system. In /etc/ssh/sshd.conf, set the LogLevel line to 'debugging', restart sshd.service, and try to connect again. Then give us the output of 'journalctl -b -u sshd'.
Dan
Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
There it is on line 43:
Jun 04 11:13:29 lin302.mno.stratus.com sshd[40203]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
Unfortunately, I don't think that was the issue. I am not using key-based authentication, but even after adding creating /root/.ssh/authorized_keys and adding my public key (done as separate steps, attempting to log in in between), I remain unable to ssh into the machine.
Can anyone think of a reason that adding "UseDNS no" to the sshd configuration would allow connections? Even when ssh is not an allowed service on the machine (from firewalld)?
--David Fryer ________________________________________ From: firewalld-users-bounces@lists.fedorahosted.org [firewalld-users-bounces@lists.fedorahosted.org] on behalf of Dan Mossor [danofsatx@gmail.com] Sent: Thursday, June 04, 2015 12:09 PM To: Firewalld users discussion list Subject: Re: New to firewalld, Questions about getting started.
On 06/04/2015 10:22 AM, Fryer, David wrote:
Here are the sshd logs: http://fpaste.org/228902/43343143/ ________________________________________ From: firewalld-users-bounces@lists.fedorahosted.org [firewalld-users-bounces@lists.fedorahosted.org] on behalf of Dan Mossor [danofsatx@gmail.com] Sent: Thursday, June 04, 2015 10:59 AM To: firewalld-users@lists.fedorahosted.org Subject: Re: New to firewalld, Questions about getting started.
On 06/04/2015 07:15 AM, Fryer, David wrote:
SSH is running on the standard port of 22, and selinux is enforcing. I don't think selinux is the problem, as adding "UseDNS no" to the end of sshd_config seems to bypass the issue entirely. The output of ssh -vv is here: http://pastebin.com/tHMde40L
--David Fryer
P.S. Is there a standard/accepted way of sharing logs with this mailing list?
Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal.
Now, with that said, we need to see the sshd logs from the target system. In /etc/ssh/sshd.conf, set the LogLevel line to 'debugging', restart sshd.service, and try to connect again. Then give us the output of 'journalctl -b -u sshd'.
Dan
Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
There it is on line 43:
Jun 04 11:13:29 lin302.mno.stratus.com sshd[40203]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
-- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 06/04/2015 02:45 PM, Fryer, David wrote:
Can anyone think of a reason that adding "UseDNS no" to the sshd configuration would allow connections?
This doesn't make sense. Are you *sure* that you are unable to connect when using "UseDNS yes"? If the server doesn't have DNS properly configured what you should experience is a *very long delay* before getting the login prompt. I believe that, perhaps, you're not waiting enough & thus you're believing that you aren't able to connect?
Regards, Jorge
On 06/07/2015 07:44 AM, Jorge Fábregas wrote:
This doesn't make sense. Are you *sure* that you are unable to connect when using "UseDNS yes"? If the server doesn't have DNS properly configured what you should experience is a *very long delay* before getting the login prompt. I believe that, perhaps, you're not waiting enough & thus you're believing that you aren't able to connect?
Eventually the login prompt appears (minutes later), but the login always ends up timing out from the long delay. But it turns out that UseDNS was a very important clue! Something popped into my head on Friday -- we're applying additional configuration to nsswitch.conf in order to set up the box as an NIS client (yes, in 2015! :(
If "nis" was removed from the hosts line of nsswitch.conf, then logins proceeded normally, even with the firewall up. Put it back in and a simple "gethostbyname()" test program failed.
Turning off firewalld and then applying the following iptables rule:
% iptables -I INPUT -m state --state NEW -j LOG
we could see the NIS server attempting to connect back to our box on several UDP ports (anywhere from 600 to 1000) upon ssh login.
so I added a rich-rule to the default zone:
... <rule family="ipv4"> <source address="www.xxx.yyy.zzz"/> <port protocol="udp" port="512-1023"/> <accept/> </rule> ...
to allow these connections to the machine. Logins appear to be functioning now.
It would be great if firewalld (or firewall-config) provided a logging mechanism to help examine dropped packets. Even nicer would be a "learning mode" that could be enabled while various services are exercised and a summary of ports/protocols/sources suggested for the firewall exclusion. Easier said than done perhaps.
Anyway, thanks everyone for the help and suggestions along the way!
-- Joe
firewalld-users@lists.fedorahosted.org