Hello,
So I finally stopped disabling firewalld because I couldn't get what I wanted working. Now everything is running along great. I would like to now export the changes from a default system so that I can push it to other machines in a similar situation.
Sincerely,
Question about firewalld and zones.
My normal network connection is in the "home" zone which has some services enabled and some ports.
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
When I bring up the VPN, not all the ports seem to be open. What am I missing?
Regards, John Griffiths
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
What am I missing?
No idea.
-- Jiri
On 03/11/2014 09:31 AM, Jiri Popelka wrote:
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
<?xml version="1.0" encoding="utf-8"?> <zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <port protocol="tcp" port="0-65535"/> <port protocol="udp" port="0-65535"/> </zone>
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
This is with the VPN up.
# Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *nat :PREROUTING ACCEPT [5273:585641] :INPUT ACCEPT [4009:381138] :OUTPUT ACCEPT [23604:1760232] :POSTROUTING ACCEPT [23604:1760232] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_home - [0:0] :POST_home_allow - [0:0] :POST_home_deny - [0:0] :POST_home_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_home -A POSTROUTING_ZONES -g POST_home -A POST_home -j POST_home_log -A POST_home -j POST_home_deny -A POST_home -j POST_home_allow -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *mangle :PREROUTING ACCEPT [527279:593251824] :INPUT ACCEPT [527279:593251824] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :POSTROUTING ACCEPT [482918:480524178] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *security :INPUT ACCEPT [525887:593042099] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481341:480231594] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *raw :PREROUTING ACCEPT [527281:593251924] :OUTPUT ACCEPT [481341:480231594] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_home - [0:0] :FWDI_home_allow - [0:0] :FWDI_home_deny - [0:0] :FWDI_home_log - [0:0] :FWDO_home - [0:0] :FWDO_home_allow - [0:0] :FWDO_home_deny - [0:0] :FWDO_home_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_home - [0:0] :IN_home_allow - [0:0] :IN_home_deny - [0:0] :IN_home_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_home -A FORWARD_IN_ZONES -g FWDI_home -A FORWARD_OUT_ZONES -o em1 -g FWDO_home -A FORWARD_OUT_ZONES -g FWDO_home -A FWDI_home -j FWDI_home_log -A FWDI_home -j FWDI_home_deny -A FWDI_home -j FWDI_home_allow -A FWDO_home -j FWDO_home_log -A FWDO_home -j FWDO_home_deny -A FWDO_home -j FWDO_home_allow -A INPUT_ZONES -i em1 -g IN_home -A INPUT_ZONES -g IN_home -A IN_home -j IN_home_log -A IN_home -j IN_home_deny -A IN_home -j IN_home_allow -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Tue Mar 11 10:13:32 2014
What am I missing?
No idea.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
As far as I can tell, the trusted zone is not being used at all. True?
Any ideas on what I can do to accomplish letting the VPN be totally trusted? If that cannot be done, how about totally trusting a host at the other end of the VPN?
Regards, John
On 03/11/2014 10:17 AM, John Griffiths wrote:
On 03/11/2014 09:31 AM, Jiri Popelka wrote:
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <port protocol="tcp" port="0-65535"/> <port protocol="udp" port="0-65535"/> </zone>
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
This is with the VPN up.
# Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *nat :PREROUTING ACCEPT [5273:585641] :INPUT ACCEPT [4009:381138] :OUTPUT ACCEPT [23604:1760232] :POSTROUTING ACCEPT [23604:1760232] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_home - [0:0] :POST_home_allow - [0:0] :POST_home_deny - [0:0] :POST_home_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_home -A POSTROUTING_ZONES -g POST_home -A POST_home -j POST_home_log -A POST_home -j POST_home_deny -A POST_home -j POST_home_allow -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *mangle :PREROUTING ACCEPT [527279:593251824] :INPUT ACCEPT [527279:593251824] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :POSTROUTING ACCEPT [482918:480524178] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *security :INPUT ACCEPT [525887:593042099] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481341:480231594] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *raw :PREROUTING ACCEPT [527281:593251924] :OUTPUT ACCEPT [481341:480231594] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_home - [0:0] :FWDI_home_allow - [0:0] :FWDI_home_deny - [0:0] :FWDI_home_log - [0:0] :FWDO_home - [0:0] :FWDO_home_allow - [0:0] :FWDO_home_deny - [0:0] :FWDO_home_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_home - [0:0] :IN_home_allow - [0:0] :IN_home_deny - [0:0] :IN_home_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_home -A FORWARD_IN_ZONES -g FWDI_home -A FORWARD_OUT_ZONES -o em1 -g FWDO_home -A FORWARD_OUT_ZONES -g FWDO_home -A FWDI_home -j FWDI_home_log -A FWDI_home -j FWDI_home_deny -A FWDI_home -j FWDI_home_allow -A FWDO_home -j FWDO_home_log -A FWDO_home -j FWDO_home_deny -A FWDO_home -j FWDO_home_allow -A INPUT_ZONES -i em1 -g IN_home -A INPUT_ZONES -g IN_home -A IN_home -j IN_home_log -A IN_home -j IN_home_deny -A IN_home -j IN_home_allow -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Tue Mar 11 10:13:32 2014
What am I missing?
No idea.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Hello John,
On 03/25/2014 09:51 PM, John Griffiths wrote:
As far as I can tell, the trusted zone is not being used at all. True?
the trusted zone is only used if you are binding something to it. Like for example an interface or a source address (range).
The VPNs handled by NM are currently not bound to a firewall zone. This is something that should be fixed soon in NM. The needed parts in firewalld are there, but there is no source binding requested by NM so far.
Any ideas on what I can do to accomplish letting the VPN be totally trusted? If that cannot be done, how about totally trusting a host at the other end of the VPN?
For now you can bind the addresses or address ranges of your VPN connection to the trusted zone. Please have a look at the firewall.cmd man page or use the config tool..
For testing (runtime only): firewall-cmd [--zone=zone] --add-source=source[/mask]
For permanent change: firewall-cmd --permanent [--zone=zone] --add-source=source[/mask]
Regards, John
Regards, Thomas
On 03/11/2014 10:17 AM, John Griffiths wrote:
On 03/11/2014 09:31 AM, Jiri Popelka wrote:
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <port protocol="tcp" port="0-65535"/> <port protocol="udp" port="0-65535"/> </zone>
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
This is with the VPN up.
# Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *nat :PREROUTING ACCEPT [5273:585641] :INPUT ACCEPT [4009:381138] :OUTPUT ACCEPT [23604:1760232] :POSTROUTING ACCEPT [23604:1760232] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_home - [0:0] :POST_home_allow - [0:0] :POST_home_deny - [0:0] :POST_home_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_home -A POSTROUTING_ZONES -g POST_home -A POST_home -j POST_home_log -A POST_home -j POST_home_deny -A POST_home -j POST_home_allow -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *mangle :PREROUTING ACCEPT [527279:593251824] :INPUT ACCEPT [527279:593251824] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :POSTROUTING ACCEPT [482918:480524178] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *security :INPUT ACCEPT [525887:593042099] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481341:480231594] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *raw :PREROUTING ACCEPT [527281:593251924] :OUTPUT ACCEPT [481341:480231594] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_home - [0:0] :FWDI_home_allow - [0:0] :FWDI_home_deny - [0:0] :FWDI_home_log - [0:0] :FWDO_home - [0:0] :FWDO_home_allow - [0:0] :FWDO_home_deny - [0:0] :FWDO_home_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_home - [0:0] :IN_home_allow - [0:0] :IN_home_deny - [0:0] :IN_home_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_home -A FORWARD_IN_ZONES -g FWDI_home -A FORWARD_OUT_ZONES -o em1 -g FWDO_home -A FORWARD_OUT_ZONES -g FWDO_home -A FWDI_home -j FWDI_home_log -A FWDI_home -j FWDI_home_deny -A FWDI_home -j FWDI_home_allow -A FWDO_home -j FWDO_home_log -A FWDO_home -j FWDO_home_deny -A FWDO_home -j FWDO_home_allow -A INPUT_ZONES -i em1 -g IN_home -A INPUT_ZONES -g IN_home -A IN_home -j IN_home_log -A IN_home -j IN_home_deny -A IN_home -j IN_home_allow -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Tue Mar 11 10:13:32 2014
What am I missing?
No idea.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Thanks, but it appears that KDE Control Manager are connected in some way. They respond to zone changes. Only the iptable does not seem to respond.
On 03/26/2014 11:31 AM, Thomas Woerner wrote:
Hello John,
On 03/25/2014 09:51 PM, John Griffiths wrote:
As far as I can tell, the trusted zone is not being used at all. True?
the trusted zone is only used if you are binding something to it. Like for example an interface or a source address (range).
The firewall-config shows the VPN bound to the trusted zone.
The VPNs handled by NM are currently not bound to a firewall zone. This is something that should be fixed soon in NM. The needed parts in firewalld are there, but there is no source binding requested by NM so far.
KDE Control Manager shows the VPN in the trusted zone. It shows the wired connection in the home zone.
Any ideas on what I can do to accomplish letting the VPN be totally trusted? If that cannot be done, how about totally trusting a host at the other end of the VPN?
For now you can bind the addresses or address ranges of your VPN connection to the trusted zone. Please have a look at the firewall.cmd man page or use the config tool..
For testing (runtime only): firewall-cmd [--zone=zone] --add-source=source[/mask]
For permanent change: firewall-cmd --permanent [--zone=zone] --add-source=source[/mask]
Regards, John
Regards, Thomas
On 03/11/2014 10:17 AM, John Griffiths wrote:
On 03/11/2014 09:31 AM, Jiri Popelka wrote:
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <port protocol="tcp" port="0-65535"/> <port protocol="udp" port="0-65535"/> </zone>
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
This is with the VPN up.
# Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *nat :PREROUTING ACCEPT [5273:585641] :INPUT ACCEPT [4009:381138] :OUTPUT ACCEPT [23604:1760232] :POSTROUTING ACCEPT [23604:1760232] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_home - [0:0] :POST_home_allow - [0:0] :POST_home_deny - [0:0] :POST_home_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_home -A POSTROUTING_ZONES -g POST_home -A POST_home -j POST_home_log -A POST_home -j POST_home_deny -A POST_home -j POST_home_allow -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *mangle :PREROUTING ACCEPT [527279:593251824] :INPUT ACCEPT [527279:593251824] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :POSTROUTING ACCEPT [482918:480524178] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *security :INPUT ACCEPT [525887:593042099] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481341:480231594] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *raw :PREROUTING ACCEPT [527281:593251924] :OUTPUT ACCEPT [481341:480231594] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_home - [0:0] :FWDI_home_allow - [0:0] :FWDI_home_deny - [0:0] :FWDI_home_log - [0:0] :FWDO_home - [0:0] :FWDO_home_allow - [0:0] :FWDO_home_deny - [0:0] :FWDO_home_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_home - [0:0] :IN_home_allow - [0:0] :IN_home_deny - [0:0] :IN_home_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_home -A FORWARD_IN_ZONES -g FWDI_home -A FORWARD_OUT_ZONES -o em1 -g FWDO_home -A FORWARD_OUT_ZONES -g FWDO_home -A FWDI_home -j FWDI_home_log -A FWDI_home -j FWDI_home_deny -A FWDI_home -j FWDI_home_allow -A FWDO_home -j FWDO_home_log -A FWDO_home -j FWDO_home_deny -A FWDO_home -j FWDO_home_allow -A INPUT_ZONES -i em1 -g IN_home -A INPUT_ZONES -g IN_home -A IN_home -j IN_home_log -A IN_home -j IN_home_deny -A IN_home -j IN_home_allow -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Tue Mar 11 10:13:32 2014
What am I missing?
No idea.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 03/11/2014 03:17 PM, John Griffiths wrote:
On 03/11/2014 09:31 AM, Jiri Popelka wrote:
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <port protocol="tcp" port="0-65535"/> <port protocol="udp" port="0-65535"/> </zone>
With the target=ACCEPT everything in the zone is accepted that is not configured to be rejected or dropped.
There is no need to additionally allow tcp and udp ports 0-65535.
Regards, Thomas
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
This is with the VPN up.
# Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *nat :PREROUTING ACCEPT [5273:585641] :INPUT ACCEPT [4009:381138] :OUTPUT ACCEPT [23604:1760232] :POSTROUTING ACCEPT [23604:1760232] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_home - [0:0] :POST_home_allow - [0:0] :POST_home_deny - [0:0] :POST_home_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_home -A POSTROUTING_ZONES -g POST_home -A POST_home -j POST_home_log -A POST_home -j POST_home_deny -A POST_home -j POST_home_allow -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *mangle :PREROUTING ACCEPT [527279:593251824] :INPUT ACCEPT [527279:593251824] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :POSTROUTING ACCEPT [482918:480524178] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *security :INPUT ACCEPT [525887:593042099] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481341:480231594] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *raw :PREROUTING ACCEPT [527281:593251924] :OUTPUT ACCEPT [481341:480231594] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_home - [0:0] :FWDI_home_allow - [0:0] :FWDI_home_deny - [0:0] :FWDI_home_log - [0:0] :FWDO_home - [0:0] :FWDO_home_allow - [0:0] :FWDO_home_deny - [0:0] :FWDO_home_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_home - [0:0] :IN_home_allow - [0:0] :IN_home_deny - [0:0] :IN_home_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_home -A FORWARD_IN_ZONES -g FWDI_home -A FORWARD_OUT_ZONES -o em1 -g FWDO_home -A FORWARD_OUT_ZONES -g FWDO_home -A FWDI_home -j FWDI_home_log -A FWDI_home -j FWDI_home_deny -A FWDI_home -j FWDI_home_allow -A FWDO_home -j FWDO_home_log -A FWDO_home -j FWDO_home_deny -A FWDO_home -j FWDO_home_allow -A INPUT_ZONES -i em1 -g IN_home -A INPUT_ZONES -g IN_home -A IN_home -j IN_home_log -A IN_home -j IN_home_deny -A IN_home -j IN_home_allow -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Tue Mar 11 10:13:32 2014
What am I missing?
No idea.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Thanks Thomas. I removed the additional allow of the tcp and udp ports.
On 03/26/2014 11:57 AM, Thomas Woerner wrote:
On 03/11/2014 03:17 PM, John Griffiths wrote:
On 03/11/2014 09:31 AM, Jiri Popelka wrote:
On 03/07/2014 09:42 PM, John Griffiths wrote:
I have a VPN that is in the "trusted" zone. The trusted zone has no services enabled but has ports 0-65535 TCP and UDP.
Could you attach the XML file of your "trusted" zone ?
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <port protocol="tcp" port="0-65535"/> <port protocol="udp" port="0-65535"/> </zone>
With the target=ACCEPT everything in the zone is accepted that is not configured to be rejected or dropped.
There is no need to additionally allow tcp and udp ports 0-65535.
Regards, Thomas
When I bring up the VPN, not all the ports seem to be open.
Also iptables-save output would be useful.
This is with the VPN up.
# Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *nat :PREROUTING ACCEPT [5273:585641] :INPUT ACCEPT [4009:381138] :OUTPUT ACCEPT [23604:1760232] :POSTROUTING ACCEPT [23604:1760232] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_home - [0:0] :POST_home_allow - [0:0] :POST_home_deny - [0:0] :POST_home_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_home -A POSTROUTING_ZONES -g POST_home -A POST_home -j POST_home_log -A POST_home -j POST_home_deny -A POST_home -j POST_home_allow -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *mangle :PREROUTING ACCEPT [527279:593251824] :INPUT ACCEPT [527279:593251824] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :POSTROUTING ACCEPT [482918:480524178] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_home - [0:0] :PRE_home_allow - [0:0] :PRE_home_deny - [0:0] :PRE_home_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_home -A PREROUTING_ZONES -g PRE_home -A PRE_home -j PRE_home_log -A PRE_home -j PRE_home_deny -A PRE_home -j PRE_home_allow COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *security :INPUT ACCEPT [525887:593042099] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481341:480231594] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *raw :PREROUTING ACCEPT [527281:593251924] :OUTPUT ACCEPT [481341:480231594] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Tue Mar 11 10:13:32 2014 # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [481339:480231494] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_home - [0:0] :FWDI_home_allow - [0:0] :FWDI_home_deny - [0:0] :FWDI_home_log - [0:0] :FWDO_home - [0:0] :FWDO_home_allow - [0:0] :FWDO_home_deny - [0:0] :FWDO_home_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_home - [0:0] :IN_home_allow - [0:0] :IN_home_deny - [0:0] :IN_home_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_home -A FORWARD_IN_ZONES -g FWDI_home -A FORWARD_OUT_ZONES -o em1 -g FWDO_home -A FORWARD_OUT_ZONES -g FWDO_home -A FWDI_home -j FWDI_home_log -A FWDI_home -j FWDI_home_deny -A FWDI_home -j FWDI_home_allow -A FWDO_home -j FWDO_home_log -A FWDO_home -j FWDO_home_deny -A FWDO_home -j FWDO_home_allow -A INPUT_ZONES -i em1 -g IN_home -A INPUT_ZONES -g IN_home -A IN_home -j IN_home_log -A IN_home -j IN_home_deny -A IN_home -j IN_home_allow -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack --ctstate NEW -j ACCEPT -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Tue Mar 11 10:13:32 2014
What am I missing?
No idea.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 03/07/2014 07:14 PM, Nathanael D. Noblet wrote:
So I finally stopped disabling firewalld because I couldn't get what I wanted working. Now everything is running along great. I would like to
Great !
now export the changes from a default system so that I can push it to other machines in a similar situation.
AFAICT just copying /etc/firewalld/ from one machine to another should do the trick.
-- Jiri
firewalld-users@lists.fedorahosted.org