firewalld / firewalld Goto Github PK

Stateful zone based firewall daemon with D-Bus interface

License: GNU General Public License v2.0

Shell 2.08% Python 95.09% Makefile 2.14% M4 0.61% Dockerfile 0.07%

firewall ipset iptables linux nftables

firewalld's Introduction

FirewallD - A firewall daemon with D-Bus interface providing a dynamic firewall

firewalld provides a dynamically managed firewall with support for network or firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add ip*tables and ebtables rules directly.

Development

To check out the source repository, you can use:

git clone https://github.com/firewalld/firewalld.git

This will create a local copy of the repository.

The contributor code of conduct can be found in CODE_OF_CONDUCT.md

Language Translations

Firewalld uses GNU gettext for localization support. Translations can be done using Fedora's Weblate instance. Translations are periodically merged into the main firewalld repository.

Dependencies

These are the runtime dependencies:

  linux >= 5.3
  python >= 3.7
  python3-dbus
  python3-gobject
  python3-nftables >= 0.9.4

Note: python2 is not supported.

Optional Dependencies

These dependencies may enhance firewalld's functionality, but they are not required.

  ebtables
  ipset
  iptables
  polkit
  python3-capng (libcap-ng-python3)

Working With The Source Repository

In addition to the runtime dependencies some others are needed to build from source:

  desktop-file-utils: /usr/bin/desktop-file-install
  gettext
  intltool
  glib2: /usr/bin/glib-compile-schemas
  glib2-devel: /usr/share/aclocal/gsettings.m4
  systemd-units
  pytest

To be able to create man pages and documentation from docbook files:

  docbook-style-xsl
  libxslt

Use the usual autoconf/automake incantation to generate makefiles

./autogen.sh
./configure

You can use a specific python interpreter by passing the PYTHON variable. This is also used by the testsuite.

./configure PYTHON=/path/to/python3

Use

make

to create the documentation and to update the po files.

Use

make check

to run the testsuite. Tests are run inside network namespaces and do not interfere with the host's running firewalld. They can also be run in parallel by passing flags to autotest.

make check TESTSUITEFLAGS="-j4"

The testsuite also uses keywords to allow running a subset of tests that exercise a specific area. For example:

make check TESTSUITEFLAGS="-k rich -j4"

Output:

  24: rich rules audit                                ok
  25: rich rules priority                             ok
  26: rich rules bad                                  ok
  53: rich rules audit                                ok
  23: rich rules good                                 ok
  55: rich rules bad                                  ok
  74: remove forward-port after reload                ok

You can get a list of tests and keywords

make -C src/tests check TESTSUITEFLAGS="-l"

Or just the keywords

make -C src/tests check TESTSUITEFLAGS="-l" \
  |awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
  |tr ' ' '\n' |sort |uniq

There are integration tests. Currently this includes NetworkManager. These may be destructive to the host. Run them in a disposable VM or container.

make check-integration

There is also a check-container target that will run the testsuite inside various podman/docker containers. This is useful for coverage of multiple distributions. It also runs tests that may be destructive to the host such as integration tests.

make check-container TESTSUITEFLAGS="-j4"

OCI Container Image

As part of the dist build target an OCI container image is generated. This is distributed alongside the normal release tarball. It can be used to run firewalld from a container. The containerized firewalld will not integrate with the host (e.g. podman, libvirt, NetworkManager).

To manually load the container image into your environment:

podman load -i .../path/to/firewalld-oci-<ver>.tar

To fetch the image from quay.io:

podman pull quay.io/firewalld/firewalld:<ver>

where <ver> is optional, the latest version will be used if omitted.

To start the daemon/container:

podman run -d --network host --privileged \
              --name my-firewalld firewalld

Firewalld's configuration will live inside the container. Therefore users may want to occasionally podman commit the image.

Using firewalld's CLI should be done via podman exec after the daemon/container has been started:

podman exec my-firewalld firewall-cmd ...

Container Integration with Host

The same container image can be used to integrate with the host's running NetworkManager, podman, libvirt, etc. This requires the host to have a dbus policy for firewalld.

A dbus policy can be obtained from the firewalld source code tree at location config/FirewallD.conf.

cp config/FirewallD.conf /usr/share/dbus-1/system.d/FirewallD.conf

Once the dbus policy is in place the container could be started as such:

podman run -d -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
              --network host --privileged \
              --name my-firewalld firewalld \
              firewalld --nofork --nopid

The only addition are: volume mount, explicit CMD.

The some approach can be use to store firewalld's configuration files on the host.

podman run -d -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
              -v /etc/firewalld:/etc/firewalld \
              --network host --privileged \
              --name my-firewalld firewalld \
              firewalld --nofork --nopid

RPM package

For Fedora and RHEL based distributions, there is a spec file in the source repo named firewalld.spec. This should be usable for Fedora versions >= 16 and RHEL >= 7.

Links

Homepage: http://firewalld.org

Report a bug: https://github.com/firewalld/firewalld/issues

Git repo browser: https://github.com/firewalld/firewalld

Git repo: https://github.com/firewalld/firewalld.git

Documentation: http://firewalld.org/documentation/

Mailing lists

For usage: https://lists.fedorahosted.org/archives/list/[email protected]/

For development: https://lists.fedorahosted.org/archives/list/[email protected]/

Directory Structure

Directory	Content
config/	Configuration files
config/icmptypes/	Predefined ICMP types
config/services/	Predefined services
config/xmlschema/	XML Schema checks for config files
config/zones/	Predefined zones
config/ipsets/	Predefined ipsets
doc/	Documentation
doc/man/	Base directory for man pages
doc/man/man1/	Man(1) pages
doc/man/man5/	Man(5) pages
po/	Translations
shell-completion/	Base directory for auto completion scripts
src/	Source tree
src/firewall/	Import tree for the service and all applications
src/icons/	Icons in the sizes: 16, 22, 24, 32, 48 and scalable
src/tests/	Testsuite

firewalld's People

Contributors

Stargazers

Watchers

Forkers

zatricky a4lg makinacorpus hogarthj ignatenkobrain divereigh aboobed captfrank wrightrocket cdsalmons hwoarang htaira thrix andersblomdell benjaminlefoul masatake acidburn0zzz jfriesse sunilmohanadapa testcafe canvon hoonetorg maxamillion gsauthof networkmanager jnpkrn batucador quentinmoss etcinit pombredanne pronix subfxnet leongold jiuzhuaxiong picagalo tdobrovolny erig0 ashh87 wyatt88 xrg n0-1 rcorrear umarbrowser ratchet-stpup dag symious comio poobalan-arumugam t-woerner xlogin icloudkit garethhumphriesmoh staneleigh miz-take dougsland kvishnivetsky ykgmfq eiginn georgepatterson happy-ferret okapia felixzhang liuchin snifbr mbiebl ngdio wenjianhn jmcabandara stefanbruens rabbitt lzap alexander-naumov maage ro9ueadmin rfrohl vadorovsky cicerolneto liewegas miztake tuanpd walter180 ftsiadimos danc86 presleyhank dalanicolai hos7ein joshrabinowitz tiran nl6720 ta-vroom guoyunhe antlarr-suse happyshi0402 gauteoh yrro puneetse rasrivas-redhat irlinja sourcejedi todoleza

firewalld's Issues

[GUI] firewall-config does not display zone description

In firewall-config the zone description does not show up.

Add Entries button should be disabled if there's no IPSet

Trying 0.4.0 - looks great so far 👍

If I run firewall-config and try to add ipset entry even there's no IPSet yet, I get ugly Error.
I think the 'Add' button should be disabled if there's no IPSet (selected).

Multicast UDP packets (MDNS/Bonjour protocol) blocked by default?

Hi,

Fedora 22 x86_64 (latest Beta): firewalld (v0.3.13-7.fc22) seems to be blocking the aforementioned packets, preventing the auto-discovery of local contacts in Empathy (default Fedora IM client), and also Gnome's "People Nearby" functionality (through control-centre->Online Accounts).

Is this expected? are there some settings/config I can play with to get this to work?

Thanks,

Add SSDP/UPnP service?

Hello,

Wouldn't be nice to add a "SSDP" or "UPnP" service?

The "announcements" messages are sent over udp using port 1900 with destination address 239.255.255.250 (multicast), that would be a good start already I guess?

There is a Fedora bug already opened about this.

Support mdns services as firewalld services (with ephemeral ports)

The Privet cloud device local discovery protocol uses ephemeral ports advertised through mdns. See
https://developers.google.com/cloud-print/docs/privet?hl=en#discovery and https://github.com/google/cups-connector for reference.

Currently, it is awkward for firewalld to support such a dynamic protocol with its service configuration framework, without opening large numbers of ports.

I propose that firewalld support a new tag in the service config. This could be called <mdns-service> or something like that. For privet, it would be <mdns-service>_privet._tcp</mdns-service> in the service config. If so configured, firewalld would then subscribe to avahi events from the local machine and open and close ports based on the avahi notifications.

Then administrators could associate firewalld services to zones as before but nicely support dynamic ports.

Logs to syslog/journald with timestamp in formatted message

When logging to syslog/journald, there is no need to include the timestamp in the formatted message. In fact, doing so makes it harder to filter/match log messages, as the timestamp is always different.

Firewalld should only include the timestamp in formatted log output when logging to stdout or to a file.

my experiences with firewalld

So, I tried to make use of firewalld as my firewall interface and it disappointed me right from the start:
1.) there are no easy ways to create data-structures with chains. the only way is trough --direct. but you do not see what --direct rules have for an effect over firewalld, he can only list them and even that happens only if you tell him to show you that rules. So they are kind of "hidden" per default.
2.) when you set up your default target to DROP, he adds this DROP into IN_ which ignores then the ACCEPT icmp rule behind it in INPUT. that can be a problem with IPv6, because IPv6 does not work without icmp.
I would suggest that firewalld would make datastructures and then map them to iptables chains. This has to be in logical order, so that it first filters out everything what is not being accepted anyway, then going through checking what is being permitted - in hierarchical order / tree structure - and then the default chain would kick in. Like with iptables. And this one should be adjustable over firewalld.

Ubuntu PPA

Please provide an Ubuntu PPA with the latest version. (Ubuntu LTS currently ships 0.3.7, which apparently lacks the systray applet).

sometime call to reload fails

Im trying already to make a patch for that, basically the problem is here:

https://github.com/t-woerner/firewalld/blob/master/src/firewall/core/fw_direct.py#L93

rule_id is not defined.


Traceback (most recent call last):
  File "/srv/mastersalt/makina-states/files/usr/bin/ms_firewalld.py", line 473, in _main
    apply_retry=apply_retry, **kwargs)
  File "/srv/mastersalt/makina-states/files/usr/bin/ms_firewalld.py", line 249, in define_zone
    lazy_reload()
  File "/srv/mastersalt/makina-states/files/usr/bin/ms_firewalld.py", line 166, in lazy_reload
    fw().reload()
  File "<string>", line 2, in reload
  File "/usr/lib/python2.7/dist-packages/slip/dbus/polkit.py", line 103, in _enable_proxy
    return func(*p, **k)
  File "<string>", line 2, in reload
  File "/usr/lib/python2.7/dist-packages/firewall/client.py", line 52, in handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/firewall/client.py", line 1839, in reload
    self.fw.reload()
  File "/usr/lib/python2.7/dist-packages/slip/dbus/proxies.py", line 50, in __call__
    return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.fedoraproject.FirewallD1.Exception: global name 'rule_id' is not defined

confusing problems with fedora 22 as an openVZ container

greetings!
i am configuring a new fedora 22 server install here that is running from an OpenVZ container and having a lot of trouble with the firewall. at least i think the firewall is the cause.
essentially, i log in remotely via putty and install XFCE so that i can then login to use remote desktop access via x2go. as soon as i install XFCE (or other desktops, such as KDE) i find that after rebooting i cannot login via SSH. at this point i have not found a way to make a change that allows me to log back in via SSH at all - so i have no choice but to reinstall the container and start again.

through exploration i found that the container does not come with firewallD installed and instead has IPTABLES running by default. when XFCE is installed, so too is firewallD. i have confirmed that firewallD is the issue by only installing firewallD and not installing a desktop (after a fresh installation of F22).

so i decided to explore firewallD a bit. in my previous installation (F20) i run firewallD and edit it via the gui - however, my attempts to configure firewallD via the gui in F22 made no difference to the problem of me not being able to login after reboot. i did ensure that the default SSH port was open for the public zone - yet it made no difference.
i have found that when i configure firewallD from the command line, the 'interfaces' parameter that is visible when i run:

firewall-cmd --list-all

begins populated but after i make any change at all, it then becomes empty - for no apparent reason and i am unable to run any commands successfully to repopulate the parameter. for example, now, when i run:

firewall-cmd --zone=public --change-interface=myinterfaceid

i see an error message that refers to IPTABLES.. yet iptables is disabled and as far as i am aware there is no requirement for firewallD to use IPTABLES.

what am i missing here? this really shouldn't be this challenging!

i have raised this with the server operators and they have updated the F22 container to the latest version, but that made no difference.

RFE: Option for -j LOG before -j REJECT in INPUT chain

In my case, firewalld generates an INPUT chain that looks like:

[root@magnesite ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

How about a new configuration option to firewall-cmd like the following?

firewall-cmd --log-rejects-on

This configuration option would insert a new LOG rule to the INPUT chain right before the REJECT rule. The new rule might look something like:

-A INPUT -j LOG --log-prefix "iptables reject: "

RFE: KillMode=mixed

firewalld, while does not fork itself on startup (--nofork), spawns additional short lived processes (iptables, ebtables, modprobe, ...) during runtime. Default's systemd KillMode=control-group (directive from [Service] section) sends SIGTERM to all processes present on services' cgroup the moment it is stopped. For daemons that fork things on runtime general recommendation is to use KillMode=process (systemd <= 208) or preferably KillMode=mixed (systemd >= 209) and let daemon itself deal with its children cleanup.

process sends SIGTERM (and SIGKILL after TimeoutStopSec) only to the main daemon process. mixed OTOH sends SIGTERM only to the main process, but SIGKILL to all services' cgroup processes after timeout.

I think depend on systemd >= 209 is OK today. Major distros have more recent version: RHEL/CentOS 7.2 (219), Debian 8 (215), SLE/openSUSE 12/13.2 (210), Ubuntu 15.04 (219), Mageia 5 (217). If an older version is used, systemd will emit a warning saying it does not understand mixed and will continue with its default value (control-group).

http://www.freedesktop.org/software/systemd/man/systemd.kill.html#KillMode=

Unspecific NameOwnerChanged DBus matches

firewalld seems to install matches for NameOwnerChanged signals without being specific about what to track. Such signals are sent every time a client connects to the bus, so the daemon is woken up on each occasion. That doesn't scale and should be fixed, so only peers the daemon is really interested in are tracked.

Interfaces are not restored in their zones

Hi,

It doesn't restore interfaces config after restart service. Use Fedora server 22 with package firewalld-0.3.14.2-2.fc22.noarch

it looks like somewhere in interface not initialized zone, because of lines

2015-07-07 11:43:07 DEBUG1: Setting zone of interface 'vm-net' to 'dmz'
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'local-net' to 'home'
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'enp5s3' to 'public'
2015-07-07 11:43:08 DEBUG1: Using default zone 'public'

and at the end

2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'local-net')
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'local-net' to 'public'
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'local-net')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'local-net')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'enp3s0')
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'enp3s0' to 'public'
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'enp3s0')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'enp3s0')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'enp5s3')
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'enp5s3')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'enp5s3')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'vm-net')
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'vm-net' to 'public'
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'vm-net')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'vm-net')

full log:

2015-07-07 11:43:05 DEBUG1: stop()
2015-07-07 11:43:06 DEBUG1: start()
2015-07-07 11:43:07 DEBUG1: Loading firewalld config file '/etc/firewalld/firewalld.conf'
2015-07-07 11:43:07 DEBUG1: IPv6 rpfilter is enabled
2015-07-07 11:43:07 DEBUG1: Loading lockdown whitelist
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/destination-unreachable.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/echo-reply.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/echo-request.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/parameter-problem.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/redirect.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/router-advertisement.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/router-solicitation.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/source-quench.xml'
2015-07-07 11:43:07 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/time-exceeded.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/amanda-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/amanda-k5-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/bacula-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/bacula.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/cockpit.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/dhcp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/dhcpv6-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/dhcpv6.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/dns.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/dropbox-lansync.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/freeipa-ldap.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/freeipa-ldaps.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/freeipa-replication.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ftp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/high-availability.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/http.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/https.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/imaps.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ipp-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ipp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ipsec.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/iscsi-target.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/kadmin.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/kerberos.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/kpasswd.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ldap.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ldaps.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/libvirt-tls.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/libvirt.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/mdns.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/mosh.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/mountd.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ms-wbt.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/mysql.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/nfs.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ntp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/openvpn.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/pmcd.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/pmproxy.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/pmwebapi.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/pmwebapis.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/pop3s.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/postgresql.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/privoxy.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/proxy-dhcp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ptp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/puppetmaster.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/radius.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/rpc-bind.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/rsyncd.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/samba-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/samba.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/sane.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/smtp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/squid.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/ssh.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/synergy.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/telnet.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/tftp-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/tftp.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/tinc.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/tor-socks.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/transmission-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/vdsm.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/vnc-server.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/wbem-https.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/xmpp-bosh.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/xmpp-client.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/xmpp-local.xml'
2015-07-07 11:43:07 DEBUG1: Loading service file '/usr/lib/firewalld/services/xmpp-server.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/FedoraServer.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/FedoraWorkstation.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/block.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/dmz.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/drop.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/external.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/home.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/internal.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/public.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/trusted.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/usr/lib/firewalld/zones/work.xml'
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/FedoraServer.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'FedoraServer' ('/usr/lib/firewalld/zones/FedoraServer.xml')
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/FedoraWorkstation.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'FedoraWorkstation' ('/usr/lib/firewalld/zones/FedoraWorkstation.xml')
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/dmz.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'dmz' ('/usr/lib/firewalld/zones/dmz.xml')
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/home.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'home' ('/usr/lib/firewalld/zones/home.xml')
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/internal.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'internal' ('/usr/lib/firewalld/zones/internal.xml')
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/public.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'public' ('/usr/lib/firewalld/zones/public.xml')
2015-07-07 11:43:07 DEBUG1: Loading zone file '/etc/firewalld/zones/work.xml'
2015-07-07 11:43:07 DEBUG1:   Overloads zone 'work' ('/usr/lib/firewalld/zones/work.xml')
2015-07-07 11:43:07 DEBUG1: Setting zone of interface 'vm-net' to 'dmz'
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'local-net' to 'home'
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'enp5s3' to 'public'
2015-07-07 11:43:08 DEBUG1: Using default zone 'public'
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('destination-unreachable')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('echo-reply')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('echo-request')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('parameter-problem')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('redirect')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('router-advertisement')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('router-solicitation')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('source-quench')
2015-07-07 11:43:08 DEBUG1: config.IcmpTypeAdded('time-exceeded')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('amanda-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('amanda-k5-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('bacula')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('bacula-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('cockpit')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('dhcp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('dhcpv6')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('dhcpv6-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('dns')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('dropbox-lansync')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('freeipa-ldap')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('freeipa-ldaps')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('freeipa-replication')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ftp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('high-availability')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('http')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('https')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('imaps')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ipp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ipp-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ipsec')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('iscsi-target')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('kadmin')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('kerberos')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('kpasswd')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ldap')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ldaps')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('libvirt')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('libvirt-tls')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('mdns')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('mosh')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('mountd')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ms-wbt')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('mysql')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('nfs')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ntp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('openvpn')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('pmcd')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('pmproxy')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('pmwebapi')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('pmwebapis')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('pop3s')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('postgresql')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('privoxy')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('proxy-dhcp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ptp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('puppetmaster')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('radius')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('rpc-bind')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('rsyncd')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('samba')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('samba-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('sane')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('smtp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('squid')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('ssh')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('synergy')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('telnet')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('tftp')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('tftp-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('tinc')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('tor-socks')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('transmission-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('vdsm')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('vnc-server')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('wbem-https')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('xmpp-bosh')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('xmpp-client')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('xmpp-local')
2015-07-07 11:43:08 DEBUG1: config.ServiceAdded('xmpp-server')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('FedoraServer')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('FedoraWorkstation')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('block')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('dmz')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('drop')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('external')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('home')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('internal')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('public')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('trusted')
2015-07-07 11:43:08 DEBUG1: config.ZoneAdded('work')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'local-net')
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'local-net' to 'public'
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'local-net')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'local-net')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'enp3s0')
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'enp3s0' to 'public'
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'enp3s0')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'enp3s0')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'enp5s3')
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'enp5s3')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'enp5s3')
2015-07-07 11:43:08 DEBUG1: zone.changeZoneOfInterface('', 'vm-net')
2015-07-07 11:43:08 DEBUG1: Setting zone of interface 'vm-net' to 'public'
2015-07-07 11:43:08 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'vm-net')
2015-07-07 11:43:08 DEBUG1: zone.ZoneChanged('public', 'vm-net')

How to Allow Protocol 47?

iptables
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT

firewalld
firewall-cmd --permanent --zone=public --add-port=1723/tcp
Protocol 47 NOT port 47

I hope to increase PPTP VPN firewall rules on /config/services/
http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml

Kind regards,
我又得跑路了

[Question] Is there a way to determine if firewall-cmd changes a setting?

I'm using firewalld within a devops situation, and it would be helpful to know if firewall-cmd has changed the active configuration after a command has run. Is there a way to do this?

If i run this multiple times I get 0 exit code and the message 'success'

/bin/firewall-cmd --permanent --zone=trusted --add-source=x.x.x.x

Would you ever consider changing it to 'Success [no change]' or is this out of the scope of firewall-cmds responsibilities?

Extend '--add-forward-port' (and the forwart-port) rich rule to support the REDIRECT target

There is an interesting case when using --add-forward-port or the forward-port rich rule

Assume an existing REDIRECT iptables rule

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

One may think that the equivalent in firewalld would be

rule family=ipv4 forward-port port=80 protocol=tcp to-port=3128

This is not quite right as it would generate

-A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination :3128

--to-destination :port actually rewrites the port on the packet but leaves the destination address intact. The only way around this is to explicitly set the destination address (to-addr) in the rich rule but this is not as flexible as the REDIRECT target since if the machine's IP change the rule has to be updated whereas REDIRECT does that automatically.

Since the destination IP is an optional argument it would make sense for this forward-port to support the REDIRECT target as least in the rich rule format. How about an extended syntax

forward-port port="" protocol="tcp|udp" to-port="" to-addr="

redirect"

so a REDIRECT target can be generate instead?

Finally, it would be nice to add support for REDIRECT (and DNAT) in the OUTPUT chain as well.

Zones not correctly working

I think the zone configuration does not really work:

I have two interfaces (Ethernet and WLAN) and the ethernet interface is in public zone and the wireless interface is in home. In public there are no ports open, but in home I opened 1714-1764/tcp and 1714-1764/udp (for KDE Connect). But it seems that no ports are open until I move both interfaces in home.

Firewalld DefaultZone change breaking on --reload

my test version was 0.3.9-11 but Lukas Bezdick (@xbezdick) said he received this issue as well when testing, unsure if his test machine was fedora 23 with 0.3.14-2 or not.

Iptables INPUT OUTPUT and FORWARD all change to policy DROP if you follow these steps.

set /etc/firewalld/firewalld.conf DefaultZone= to any zone that exists in /usr/lib/firewalld/zones such as public or trusted
ensure that /etc/firewalld/zones/ does not have any custom addon zones. run systemctl restart firewalld
Create a zone file of any makeup inside /etc/firewalld/zones/
set /etc/firewalld/firewalld.conf DefaultZone= to the name of that new zone you made.
run firewall-cmd --reload
You will lose access remotely and the policies will all change to DROP. If you turned --debug=2 on inside /etc/sysconfig/firewalld FIREWALLD_ARGS= then you can look at /var/log/firewalld and you'll see output as follows:

2015-10-20 17:24:40 DEBUG2: firewall.core.ipXtables.ip4tables: /sbin/iptables -A POSTROUTING_ZONES -t nat -o + -g POST_rcgzone
2015-10-20 17:24:40 DEBUG2: firewall.core.ipXtables.ip6tables: /sbin/ip6tables -A POSTROUTING_ZONES -t nat -o + -g POST_rcgzone
2015-10-20 17:24:40 Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/firewall/server/decorators.py", line 53, in dbus_handle_exceptions
return func(_args, *_kwargs)
File "/usr/lib/python2.7/site-packages/firewall/server/firewalld.py", line 236, in reload
self.fw.reload()
File "/usr/lib/python2.7/site-packages/firewall/core/fw.py", line 680, in reload
_zone_interfaces[_old_dz][iface]
KeyError: 'rcgzone'

If I had, instead, added that zone and run firewall-cmd --reload and then changed the DefaultZone value in firewalld.conf to that zone name and ran firewall-cmd --reload again, then all would be fine.
Same result occurs for both scenarios even if I used firewall-cmd --permanent --new-zone=rcgzone as that really only creates the file and does nothing memory/active wise.

I would consider this to be a pretty major bug as automated deployments on machines that previously had firewalld enabled but you'll be adding a zone and changing the defaultzone via an automated method will cause you to lose all remote access to them as they will drop outgoing and incoming packets.

Can we move INPUT_direct and FORWARD_direct to the top of INPUT/FORWARD

I am running rtpengine which runs a kernel module that essentially passes packets back out without it having to go through the user-space stack (for performance). However it needs to get in before the conntrack rule (otherwise the conntrack rule just accepts the packet and passes it into userspace, bypassing the kernel module).

I have tried using the --direct interface to add in a rule above the conntrack (in the INPUT chain), however it just gets added to the INPUT_direct chain instead, which comes after conntrack. I have had to resort to creating a new chain (INPUT_prefilter) using the --direct --passthrough. However this seems like a hack. Also anything done with --passthrough has to be --permanent otherwise it won't survive a --reload (is that a bug?).

So I see two solutions:

Move INPUT_direct so that it is the first in the INPUT chain
Create a INPUT_prefilter chain (as I have done) that is the first in the INPUT chain.

Then for completeness we should do the same with FORWARD.

I am happy to produce a patch to do either.

Thoughts?

conntrackd helpers

I'd like to see firewalld able to control conntrack-tools userspace helpers, if it can't already. This would allow enabling and disabling of UPnP, as detailed in https://bugzilla.redhat.com/show_bug.cgi?id=892801#c11

firewall-cmd fails on shutdown

CentOS 7 + EPEL here, firewalld-0.3.9-11.el7.noarch. fail2ban-firewalld package sets firewall-cmd/ipset action, see

https://bugzilla.redhat.com/show_bug.cgi?id=979622

On shutdown, fail2ban calls:

firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -p XXX -m multiport --dports XXX -m set --match-set fail2ban-XXX src -j REJECT --reject-with icmp-port-unreachable
ipset flush fail2ban-XXX
ipset destroy fail2ban-XXX

But firewall-cmd fails with (excerpt from /var/log/fail2ban.log):

Traceback (most recent call last):
  File "/usr/bin/firewall-cmd", line 703, in <module>
    fw = FirewallClient()
  File "<string>", line 2, in __init__
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 52, in handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 1594, in __init__
    self.bus = dbus.SystemBus()
  File "/usr/lib64/python2.7/site-packages/dbus/_dbus.py", line 194, in __new__
    private=private)
  File "/usr/lib64/python2.7/site-packages/dbus/_dbus.py", line 100, in __new__
    bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop)
  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 122, in __new__
    bus = cls._new_for_bus(address_or_type, mainloop=mainloop)
    dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /var/run/dbus/system_bus_socket: Conex\xc3\xa3o recusada

"Conex\xc3\xa3o recusada" is "Connection refused".

And then ipset also fails:

ipset v6.19: Set cannot be destroyed: it is in use by a kernel component

It only fails this way on system shutdown. When I restart fail2ban.service all works as it should.

On Fedora 22 it works as expected.

pidfile should be tested

  3 2015-05-13 21:37:30 ERROR: Traceback (most recent call last):
  4   File "/usr/sbin/firewalld", line 132, in startup
  5     os.remove(pid_file)
  6 OSError: [Errno 2] No such file or directory: '/var/run/firewalld.pid'
  7

im already pushing a pr

Not masquerading loopback is broken

When masquerading is enabled, firewalld creates the following entry to not masquerade loopback traffic:

-A POST_public_allow ! -i lo -j MASQUERADE

The problem is, that this rule does not work (at least for me, Fedora 23, linux 4.2.6).

Simple setup to reproduce:
shell 1: nc -v -l 5000
shell 2: nc 127.0.0.1 5000 <<< "foobar"

Output shell 1:

Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000
Ncat: Connection from 10.0.0.55.
Ncat: Connection from 10.0.0.55:48680.
foobar

To further investigate the issue, I added a LOG target entry and here it is:

IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22617 DF PROTO=TCP SPT=48680 DPT=5000 WINDOW=43690 RES=0x00 SYN URGP=0

So, the IN property is not set (explanation could be that the packet is created on the host, so it was not received by any interface).

I think the best solution would be to change this to "-A POST_public_allow ! -o lo -j MASQUERADE" (checking destinaion != lo instead of source != lo)

direct rule gives confusing subnet mask error

Hi,

I am using 0.3.14.2 and I noticed that the following command leads to a very strange problem

~$ firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 1 "-s 192.168.100.0/24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE"
Error: COMMAND_FAILED: '/usr/sbin/iptables -w -t nat -I POSTROUTING_direct 1 -s 192.168.100.0/24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE' failed: iptables v1.4.21: invalid mask `24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE' specified
Try `iptables -h' or 'iptables --help' for more information.
~$
~$ /usr/sbin/iptables -w -t nat -I POSTROUTING_direct 1 -s 192.168.100.0/24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE
~$

Running the same commands outside of firewalld does the correct thing though.

I also tried the current master(d7d68f8) with the --debug option and the same problem exists

2016-01-25 20:26:45 DEBUG1: direct.addRule('ipv4', 'nat', 'POSTROUTING', 1, '-s 192.168.100.0/24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE')
2016-01-25 20:26:45 ERROR: COMMAND_FAILED: '/usr/sbin/iptables -w -t nat -I POSTROUTING_direct 1 -s 192.168.100.0/24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE' failed: iptables v1.4.21: invalid mask `24 -o tun+ -p tcp -m tcp --dport 33:44 -j MASQUERADE' specified
Try `iptables -h' or 'iptables --help' for more information.

Default rules conflict with DHCP

It looks like the default rules conflict with systemd-networkd's builtin DHCP server.

How to reproduce:

Run a system with:
- firewalld (e.g. Fedora 22)
- systemd 219 (or newer)
Launch a new systemd-nspawn container with veth networking:

systemd-nspawn --network-veth -bxD /var/lib/machines/centos7.1-base

What should happen:

systemd-nspawn creates the network interface ve-centos71-b
systemd-networkd running on the host picks up the network interface and configures it according to the configuration below (including running a minimal DHCP server to hand out IP configurations to containers):
```
[Match]
Name=ve-*
Driver=veth

[Network]
# Default to using a /28 prefix, giving up to 13 addresses per container.
Address=0.0.0.0/28
LinkLocalAddressing=yes
DHCPServer=yes
IPMasquerade=yes
```
systemd-networkd running in the container configures the interface host0 inside the container based on the configuration below:
```
[Match]
Virtualization=container
Name=host0

[Network]
DHCP=yes
LinkLocalAddressing=yes
```

What happens instead:

The host0 interface in the container never receives a DHCP configuration from the DHCP server running on the host because the requests/responses are blocked by firewalld on the host

Stopping firewalld temporarily "fixes" the issue and shows that firewalld is the "culprit" in this case.

Although I'm not quite sure yet, how the policy would have to look like exactly, I think this should be probably covered by firewalld's default configuration.

Cannot change zone of an interface from firewall-config

Hi,

With 0.3.14.2, I get the following error when trying to change the zone of an interface from firewall-config:

Traceback (most recent call last):
  File "/usr/bin/firewall-config", line 1014, in change_zone_connection_editor
    editor.run()
  File "/usr/bin/firewall-config", line 5318, in run
    connection_obj.Update(settings)
  File "/usr/lib/python2.7/dist-packages/slip/dbus/proxies.py", line 51, in __call__
    return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 7 matched rules; type="method_call", sender=":1.623" (uid=1000 pid=16498 comm="/usr/bin/python -Es /usr/bin/firewall-config ") interface="(unset)" member="Update" error name="(unset)" requested_reply="0" destination=":1.12" (uid=0 pid=1125 comm="/usr/sbin/NetworkManager --no-daemon ")

With 0.3.13 the backtrace was a bit different

ipv6 nat

Hi,

It seems IPv6 NAT should be supported as listed on http://www.firewalld.org/, but it doesn't seems to work on CentOS7 (i.e.: putting the external interface in the 'external' zone is not enough to get it working. IPv4 NAT does work perfectly fine.

This forum post http://forums.fedoraforum.org/showthread.php?t=301894 tries to get it to work and I can replicate the working ping, but I am unable to get any traffic other than ICMP working.

What is the correct way to get IPv6 NAT working? Will it also set net.ipv6.conf.<EXTERNAL>.forwarding to 1?

Firewalld has slow startup on Manjaro

I am running firewalld on Manjaro Linux with GNOME 3.18.3. System startup is really slow because firewalld is taking almost 20 seconds to start. Is there anything I can do to speed up firewalld?

 systemd-analyze blame
         19.929s firewalld.service
          9.189s systemd-journald.service
          4.505s dev-sda3.device
          4.455s systemd-modules-load.service
          4.076s ModemManager.service
          2.821s systemd-fsck@dev-disk-by\x2duuid-fca3eb5c\x2d2981\x2d44c6\x2d8108\x2d9eef32e823a7.service
          2.791s polkit.service
          2.002s plymouth-quit-wait.service
          1.922s avahi-daemon.service
          1.784s systemd-vconsole-setup.service
          1.679s thermald.service
          1.486s systemd-journal-flush.service
          1.149s systemd-logind.service
          1.146s accounts-daemon.service
           955ms systemd-sysctl.service
           953ms gdm-plymouth.service
           867ms systemd-tmpfiles-setup-dev.service
           761ms bluetooth.service
           701ms systemd-user-sessions.service
           655ms systemd-binfmt.service
           608ms sys-kernel-debug.mount
           606ms dev-hugepages.mount
           592ms [email protected]
           487ms systemd-hostnamed.service
           424ms home.mount
           413ms systemd-udevd.service
           387ms [email protected]
           316ms tmp.mount
           315ms systemd-remount-fs.service
           313ms dev-mqueue.mount
           266ms proc-sys-fs-binfmt_misc.mount
           249ms udisks2.service
           242ms systemd-rfkill.service
           239ms packagekit.service
           200ms colord.service
           169ms NetworkManager.service
           167ms systemd-timedated.service
           164ms systemd-backlight@backlight:intel_backlight.service
           149ms alsa-restore.service
           134ms systemd-localed.service
           131ms upower.service
           128ms systemd-tmpfiles-setup.service
           120ms sys-kernel-config.mount
           107ms systemd-timesyncd.service
            94ms systemd-udev-trigger.service
            88ms systemd-random-seed.service
            74ms wpa_supplicant.service
            64ms [email protected]
            49ms systemd-update-utmp.service
            29ms rtkit-daemon.service
            26ms plymouth-start.service
            24ms geoclue.service
            20ms kmod-static-nodes.service
            13ms plymouth-read-write.service
             3ms sys-fs-fuse-connections.mount

 systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2015-11-15 15:35:35 CST; 2min 4s ago
 Main PID: 606 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─606 /usr/bin/python -Es /usr/bin/firewalld --nofork --nopid

Nov 15 15:35:35 ryan-linux-laptop systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 15 15:37:07 ryan-linux-laptop /firewalld[606]: 2015-11-15 15:37:07 ERROR: UNKNOWN_INTERFACE: 'wlp10s0' is not in any zone

No firewalld-applet icon on Gnome 3.12

Hello,

As explained in this bug, the applet doesn't show any icon with gnome-shell >= 3.12

The bug seems to be in the "check_gnome3()" function and the way it detects whether gnome-shell is running.

RFE: Access Notifications

This came up in #fedora on Freenode. Someone was asking to have a notification when an application attempts to access the network, similar to the Windows Firewall. Would it be possible to do with with the firewalld notification? I know auditd, dbus, and firewalld all play a role in this so I'm not sure where the info would come from, nor if it is easy to implement.

Problem with firewalld and samba

I don't know for sure that this is a firewalld issue, but I have had no response from a couple of forums where I have asked, so I thought I would post the problem here.

For testing, I have Fedora22, Fedora18, and Windows7.

Samba has been added to firewalld as an allowed service on both Fedora's.

If Fedora18 boots up with firewalld enabled, both Fedora22 and Windows7 can connect using samba.

If Fedora22 boots up with firewalld enabled, only Fedora18 can connect. Windows7 cannot see the server at all, If it boots up with firewalld disabled, both can connect.

Booting up with firewalld enabled and then stopping or restarting firewalld makes no difference. However, booting up with firewalld enabled and then restarting nmb makes all the difference - after a few seconds delay, Windows7 can connect.

It seems that when Fedora22 starts with firewalld enabled, samba starts with the server name of LOCALHOST. After restarting nmb and waiting a few seconds, it changes to FEDORA22 (the name specified in /etc/hosts). Once it has changed, Windows7 can connect with no problem.

There are two ways of demonstrating this. Firstly, when samba starts up, it creates the file /var/lib/samba/browse.dat, and you can see the server name there. Secondly, if I run 'nmap -T4 -A -v' against Fedora22 from either Fedora18 or Windows7, under the section 'Host script results', it shows 'NetBIOS name: LOCALHOST'. After restarting nmb, or after rebooting with firewalld disabled, it shows 'NetBIOS name: FEDORA22'.

Fedora18 does not show any of these problems. With firewalld enabled, samba starts up with the server name FEDORA18, and Windows7 can connect straight away.

INPUT_ZONES_SOURCE not creating goto if you change target to anything but default

If you set a sources zone to have any target at all rather than just <zone> in the XML it will never make the goto to point to the chain, it will make the chain but not make the goto. This means that it will either ACCEPT, DROP or REJECT all items to those sources based on what target you set and not support rich rules at all.

This is a bug that you stated is corrected in the interfaces but not the sources at the moment.
version tested on 0.3.12

Thanks for taking a look.

Speedr

firewall-cmd does not limit the length of zone names

It is possible to create zones with long names using firewall-cmd. But firewalld is unable to load the zone files:

firewall-cmd --permanent --new-zone=ICanCreateAZoneWithAVeryLongNameButICanNotUseAZoneWithAVeryLongName
firewall-cmd --permanent --new-zone=shortName
firewall-cmd --reload
firewall-cmd --get-zones
block dmz drop external home internal public shortName trusted work

log message :

ERROR: Failed to load zone file '/etc/firewalld/zones/ICanCreateAZoneWithAVeryLongNameButICanNotUseAZoneWithAVeryLongName.xml': INVALID_NAME: ICanCreateAZon...AVeryLongName.xml

Add a reassuring ”Firewall is up and running” to firewall-config

I don’t want firewall-config to turn into gufw, but firewall-config could benefit from having a friendly “things are turned on and working” notification. It could be what “Connected” down in the left corner is supposed to mean, but that is not clear.

Support Plasma5-nm

Please add to the list "kde5-nm-connection-editor" which comes from plasma-nm version 5.x
https://github.com/t-woerner/firewalld/blob/master/src/firewall-applet#L57

I can prepare patch but this is very tivial :)

Adding and modifying new services with firewall-cmd.

Right now, firewall-cmd can only add a new blank service with --new-service, but (as far as I can see) it cannot modify services and add/remove ports from it.

Is there a way to accomplish this, short of writing a new XML file to /etc/firewalld/services/(which is also what the python library does)?

Is this a useful feature? If so, I might go ahead and try to implement it.

Add support to per-source-IP rate limiting

ufw limit ssh will limit connections per-source IP to 6 per 30 seconds (non-configurable). After exceeding this limit, new connections from that IP would be rejected. A configurable version of this for firewall-cmd would be very useful. The rich-language variant can current only be used to limit the total number of connections, something which would easily lock legitimate users out of the system.

The work-around that is circulating around on forums are all variants of this one:

firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp --dport 22 \
    -m state --state NEW -m recent --set
firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp --dport 22 \
     -m state --state NEW -m recent --set
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 -p tcp --dport 22 \
     -m state --state NEW -m recent --update --seconds 30 --hitcount 6 \
     -j REJECT --reject-with tcp-reset
firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 1 -p tcp --dport 22 \
     -m state --state NEW -m recent --update --seconds 30 --hitcount 6 \
     -j REJECT --reject-with tcp-reset

Suggested syntax:

firewall-cmd --add-service ssh --limit 6/30m
firewall-cmd --add-service http --limit 64/1m

Although expanding what is available in the rich language (and improving documentation) may be the way to go. Could be confusing to have two different meanings of “limit”.

firewall applet icon does not appear in Plasma 5 system tray

KDE5 is not supporting old style Gtk applets any more. Only appindicator enhanced Gtk applets or Qt applets are working.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1218760

system-config-firewall is python 2 only

system-config-firewall only supports python 2. (thanks in advance) i tried to run modernize but didnt really get anywhere with that. i get the following errors when running make install

https://gist.github.com/666threesixes666/0d5f6d9434212b4fc1c6

Accept/Reject/Drop Forwarding packets

It would be a great deal if there was the option of creating a rule for forwarding packets within any zone.

For example: firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="http" type="forward" drop'

This way you can control any forwarding traffic coming from your LAN to the Internet or any other Interface.

only 1 command works under funtoo firewalld-0.3.13

--disable-systemd <--- is this a hard dep?

its setting allow all on all on all first entries, the entire package is pretty much useless, except for the block all network traffic works fine from firewall-applet.

i've tried shields up down multiple zones reloading the fire wall in every which way possible. i got some icmp blocks from arbitrary iptables rule flushings. you can find ebuilds in my tripsix overlay on github :-)

rich masquerading: it works

Just if i forget to catch you, @t-woerner

Using

firewall-cmd --add-rich-rule='rule family="ipv4" masquerade source address="10.5.0.0/16" destination not address="10.5.0.0/16"'

Will ensure following changes in the tables

NAT:
+-A POST_public_allow -s 10.5.0.0/16 ! -d 10.5.0.0/16 -j MASQUERADE
FILTER:
+-A FWDO_public_allow ! -s 10.5.0.0/16 -d 10.5.0.0/16 -j ACCEPT

Im inspecting what the second rule grants really, but it seems fine.

--list-all without zone

Calling 'firewall-cmd --list-all' will display only stuff about default zone which is counter-intuite and contradictory to the command name: the 'list-all' command should list data from all zones unless zone specified explicitly.

Maybe it's worth introducing --actually-list-all option or smth like that?

Please add support for blocking one or more codes of an ICMP type

Right now firewalld either blocks or allows an ICMP packet based on its type. However, certain ICMP types (eg type 3) have multiple codes associated with them. iptables can match such packets using '--icmp-type 3/2' which matches icmp packets of type=3 and code=2. Please consider adding such functionality to firewalld.

Create a gnome-shell extension

Now that the tray icon is in Qt, it might be interesting to create a gnome-shell extension instead

Interactive mode to avoid locking yourself out

How do you feel about adding an interactive mode that automatically undoes any change unless the user confirms after the change is executed. The idea is totally stolen from ferm (and probably from some other tool before), but it's a great way to stop locking yourself out accidentally when testing new rules in development/staging.

man ferm writes:

--interactive
Apply the firewall rules and ask the user for confirmation. Reverts to the previous ruleset
if there is no valid user response within 30 seconds (see --timeout). This is useful for
remote firewall administration: you can test the rules without fearing to lock yourself out.

--timeout S
If --interactive is used, then roll back if there is no valid user response after this number
of seconds. The default is 30.

TypeError: position_function() takes exactly 2 arguments (4 given)

Hello,

With gnome-shell 3.16, I'm getting the following error when left/right clicking on the icon in the tray:

TypeError: position_function() takes exactly 2 arguments (4 given)

RFE: Add a way to filter outgoing traffic

Currently there is no easy way to filter outgoing traffic. It would be nice to add this functionality. I would like to block outgoing traffic by default except for some critical services like dns, web browser, email client, package manager.

continuing to fix reloads

Im on my way to get reload reworking as for now, i have another trace to inspect

2015-05-12 18:25:15 Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/firewall/server/decorators.py", line 57, in dbus_handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/firewall/server/firewalld.py", line 236, in reload
    self.fw.reload()
  File "/usr/lib/python2.7/dist-packages/firewall/core/fw.py", line 712, in reload
    self.direct.set_config(_direct_config)
  File "/usr/lib/python2.7/dist-packages/firewall/core/fw_direct.py", line 120, in set_config
    for (priority, args) in _rules[chain_id]:
TypeError: 'int' object is not iterable

firewalld / firewalld Goto Github PK

firewalld's Introduction

FirewallD - A firewall daemon with D-Bus interface providing a dynamic firewall

Development

Language Translations

Dependencies

Optional Dependencies

Working With The Source Repository

OCI Container Image

Container Integration with Host

RPM package

Links

Mailing lists

Directory Structure

firewalld's People

Contributors

Stargazers

Watchers

Forkers

firewalld's Issues

Recommend Projects

Recommend Topics

Recommend Org