Trying to open ports in firewalld

James Hogarth james.hogarth at gmail.com
Thu Feb 25 13:26:26 UTC 2016 

On 25 February 2016 at 11:48, Timothy Murphy <gayleard at eircom.net> wrote:

> Richard Shaw wrote:
>
> > On Tue, Feb 23, 2016 at 7:31 AM, Timothy Murphy <gayleard at eircom.net>
> > wrote:
> >
> >> I see that I have to open ports 1714-1764, TCP and UDP.
> >> I'm running firewalld on the laptop.
> >> I give the command "firewall-config" and authenticate.
> >> Clicking on zone "internal" I see that kde-connect is ticked.
> >> And when I go to Ports I see that ports 1714-1764 are listed, TCP and
> >> UDP. And all this remains set if I reboot.
>
>
> > Let's try the simple stuff first... Is your default zone for your network
> > connection also "internal"?
>
> Thank you very much.
> That was indeed the issue.
> After changing the default zone to "internal" everything works fine.
>
>
I'm still curious about this ... if you look at the underlying iptables
rules with iptables -vnL you'll see traffic on localhost is ALLOW before
any zone stuff is checked:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0            tcp dpt:67
 134K  104M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    5   300 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
  679  201K INPUT_direct  all  --  *      *       0.0.0.0/0
0.0.0.0/0
  679  201K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0
 0.0.0.0/0
  679  201K INPUT_ZONES  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    1    40 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID
  498  158K REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-host-prohibited

In fact if you firewall-cmd --list-interfaces you'll see that lo is not
bound to any zone (which is sensible given the policy above... otherwise
it'd be misleading as zone would never be jumped to for it).



> But I don't understand the reasoning behind this.
> This use of the term "zone" seems to me misleading and bizarre.
> I run shorewall on my home server, and there the "zone"
> can be "net", "local", etc.
> Any changes made to a particular zone come into effect
> on restarting shorewall.
> It would not make sense in this context to choose a "default zone".
>
>
I've always hated the term "zone" in firewalld - it's very misleading given
how it's used elsewhere and the default zones that you can't remove make it
worse.

I did go into detail on it here though that may help:
https://www.hogarthuk.com/?q=node/9

The short of it is the zone name is a label and most of the zones are not
in use and will rarely if ever be in use in most installs.

You can apply rules to that label (and they will not be persistent unless
--permanent is used, in which case runtime won't be affected, or the
runtime is persisted with --runtime-to-permanent) and that label can be
bound to an interface or to a source network address.

In addition NetworkManager can be configured to apply a zone to a
connection profile so you could have work always use the 'work' and $cafe
use 'public' based on their different connection profiles (based on SSID).

The 'default' zone is just the rules used if no other zones have
configurations that match that interface or source network.



> Incidentally, restarting firewalld does not seem to me to work properly,
> as a window comes up asking for authentication.
> I don't recall any other service requiring this,
> and it would seem to prevent remote restarting.
>
>
>
>
This is the polkit configuration for it. Again I go into detail on the blog
article but the default configuration is that if not root it requests admin
credentials to reload (or even view some stuff).

Keep in mind the polkit policy for firewall-cmd --reload behaviour is
distinct and separate from a systemd polkit policy limiting systemctl
<action> <unit> to admin users.

In terms of remote restarting polkit will only use a GUI prompt if a
display is detected, otherwise it'll have a text based authentication
interaction.. and again this is only if not root.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20160225/b079a311/attachment.html>

More information about the users mailing list