Thanks, but it appears that KDE Control Manager are connected in some
way. They respond to zone changes. Only the iptable does not seem to
respond.
On 03/26/2014 11:31 AM, Thomas Woerner wrote:
Hello John,
On 03/25/2014 09:51 PM, John Griffiths wrote:
> As far as I can tell, the trusted zone is not being used at all. True?
>
the trusted zone is only used if you are binding something to it. Like
for example an interface or a source address (range).
The firewall-config shows the
VPN bound to the trusted zone.
The VPNs handled by NM are currently not bound to a firewall zone.
This is something that should be fixed soon in NM. The needed parts in
firewalld are there, but there is no source binding requested by NM so
far.
KDE Control Manager shows the VPN in the trusted zone. It shows the
wired connection in the home zone.
> Any ideas on what I can do to accomplish letting the VPN be totally
> trusted? If that cannot be done, how about totally trusting a host at
> the other end of the VPN?
>
For now you can bind the addresses or address ranges of your VPN
connection to the trusted zone.
Please have a look at the firewall.cmd man page or use the config tool..
For testing (runtime only):
firewall-cmd [--zone=zone] --add-source=source[/mask]
For permanent change:
firewall-cmd --permanent [--zone=zone] --add-source=source[/mask]
> Regards,
> John
>
Regards,
Thomas
> On 03/11/2014 10:17 AM, John Griffiths wrote:
>>
>> On 03/11/2014 09:31 AM, Jiri Popelka wrote:
>>> On 03/07/2014 09:42 PM, John Griffiths wrote:
>>>> I have a VPN that is in the "trusted" zone. The trusted zone
has no
>>>> services enabled but has ports 0-65535 TCP and UDP.
>>>
>>> Could you attach the XML file of your "trusted" zone ?
>>>
>> <?xml version="1.0" encoding="utf-8"?>
>> <zone target="ACCEPT">
>> <short>Trusted</short>
>> <description>All network connections are accepted.</description>
>> <port protocol="tcp" port="0-65535"/>
>> <port protocol="udp" port="0-65535"/>
>> </zone>
>>
>>>> When I bring up the VPN, not all the ports seem to be open.
>>>
>>> Also iptables-save output would be useful.
>> This is with the VPN up.
>>
>> # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014
>> *nat
>> :PREROUTING ACCEPT [5273:585641]
>> :INPUT ACCEPT [4009:381138]
>> :OUTPUT ACCEPT [23604:1760232]
>> :POSTROUTING ACCEPT [23604:1760232]
>> :OUTPUT_direct - [0:0]
>> :POSTROUTING_ZONES - [0:0]
>> :POSTROUTING_ZONES_SOURCE - [0:0]
>> :POSTROUTING_direct - [0:0]
>> :POST_home - [0:0]
>> :POST_home_allow - [0:0]
>> :POST_home_deny - [0:0]
>> :POST_home_log - [0:0]
>> :PREROUTING_ZONES - [0:0]
>> :PREROUTING_ZONES_SOURCE - [0:0]
>> :PREROUTING_direct - [0:0]
>> :PRE_home - [0:0]
>> :PRE_home_allow - [0:0]
>> :PRE_home_deny - [0:0]
>> :PRE_home_log - [0:0]
>> -A PREROUTING -j PREROUTING_direct
>> -A PREROUTING -j PREROUTING_ZONES_SOURCE
>> -A PREROUTING -j PREROUTING_ZONES
>> -A OUTPUT -j OUTPUT_direct
>> -A POSTROUTING -j POSTROUTING_direct
>> -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
>> -A POSTROUTING -j POSTROUTING_ZONES
>> -A POSTROUTING_ZONES -o em1 -g POST_home
>> -A POSTROUTING_ZONES -g POST_home
>> -A POST_home -j POST_home_log
>> -A POST_home -j POST_home_deny
>> -A POST_home -j POST_home_allow
>> -A PREROUTING_ZONES -i em1 -g PRE_home
>> -A PREROUTING_ZONES -g PRE_home
>> -A PRE_home -j PRE_home_log
>> -A PRE_home -j PRE_home_deny
>> -A PRE_home -j PRE_home_allow
>> COMMIT
>> # Completed on Tue Mar 11 10:13:32 2014
>> # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014
>> *mangle
>> :PREROUTING ACCEPT [527279:593251824]
>> :INPUT ACCEPT [527279:593251824]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [481339:480231494]
>> :POSTROUTING ACCEPT [482918:480524178]
>> :FORWARD_direct - [0:0]
>> :INPUT_direct - [0:0]
>> :OUTPUT_direct - [0:0]
>> :POSTROUTING_direct - [0:0]
>> :PREROUTING_ZONES - [0:0]
>> :PREROUTING_ZONES_SOURCE - [0:0]
>> :PREROUTING_direct - [0:0]
>> :PRE_home - [0:0]
>> :PRE_home_allow - [0:0]
>> :PRE_home_deny - [0:0]
>> :PRE_home_log - [0:0]
>> -A PREROUTING -j PREROUTING_direct
>> -A PREROUTING -j PREROUTING_ZONES_SOURCE
>> -A PREROUTING -j PREROUTING_ZONES
>> -A INPUT -j INPUT_direct
>> -A FORWARD -j FORWARD_direct
>> -A OUTPUT -j OUTPUT_direct
>> -A POSTROUTING -j POSTROUTING_direct
>> -A PREROUTING_ZONES -i em1 -g PRE_home
>> -A PREROUTING_ZONES -g PRE_home
>> -A PRE_home -j PRE_home_log
>> -A PRE_home -j PRE_home_deny
>> -A PRE_home -j PRE_home_allow
>> COMMIT
>> # Completed on Tue Mar 11 10:13:32 2014
>> # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014
>> *security
>> :INPUT ACCEPT [525887:593042099]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [481341:480231594]
>> :FORWARD_direct - [0:0]
>> :INPUT_direct - [0:0]
>> :OUTPUT_direct - [0:0]
>> -A INPUT -j INPUT_direct
>> -A FORWARD -j FORWARD_direct
>> -A OUTPUT -j OUTPUT_direct
>> COMMIT
>> # Completed on Tue Mar 11 10:13:32 2014
>> # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014
>> *raw
>> :PREROUTING ACCEPT [527281:593251924]
>> :OUTPUT ACCEPT [481341:480231594]
>> :OUTPUT_direct - [0:0]
>> :PREROUTING_direct - [0:0]
>> -A PREROUTING -j PREROUTING_direct
>> -A OUTPUT -j OUTPUT_direct
>> COMMIT
>> # Completed on Tue Mar 11 10:13:32 2014
>> # Generated by iptables-save v1.4.18 on Tue Mar 11 10:13:32 2014
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [481339:480231494]
>> :FORWARD_IN_ZONES - [0:0]
>> :FORWARD_IN_ZONES_SOURCE - [0:0]
>> :FORWARD_OUT_ZONES - [0:0]
>> :FORWARD_OUT_ZONES_SOURCE - [0:0]
>> :FORWARD_direct - [0:0]
>> :FWDI_home - [0:0]
>> :FWDI_home_allow - [0:0]
>> :FWDI_home_deny - [0:0]
>> :FWDI_home_log - [0:0]
>> :FWDO_home - [0:0]
>> :FWDO_home_allow - [0:0]
>> :FWDO_home_deny - [0:0]
>> :FWDO_home_log - [0:0]
>> :INPUT_ZONES - [0:0]
>> :INPUT_ZONES_SOURCE - [0:0]
>> :INPUT_direct - [0:0]
>> :IN_home - [0:0]
>> :IN_home_allow - [0:0]
>> :IN_home_deny - [0:0]
>> :IN_home_log - [0:0]
>> :OUTPUT_direct - [0:0]
>> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -j INPUT_direct
>> -A INPUT -j INPUT_ZONES_SOURCE
>> -A INPUT -j INPUT_ZONES
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -j FORWARD_direct
>> -A FORWARD -j FORWARD_IN_ZONES_SOURCE
>> -A FORWARD -j FORWARD_IN_ZONES
>> -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
>> -A FORWARD -j FORWARD_OUT_ZONES
>> -A FORWARD -p icmp -j ACCEPT
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> -A OUTPUT -j OUTPUT_direct
>> -A FORWARD_IN_ZONES -i em1 -g FWDI_home
>> -A FORWARD_IN_ZONES -g FWDI_home
>> -A FORWARD_OUT_ZONES -o em1 -g FWDO_home
>> -A FORWARD_OUT_ZONES -g FWDO_home
>> -A FWDI_home -j FWDI_home_log
>> -A FWDI_home -j FWDI_home_deny
>> -A FWDI_home -j FWDI_home_allow
>> -A FWDO_home -j FWDO_home_log
>> -A FWDO_home -j FWDO_home_deny
>> -A FWDO_home -j FWDO_home_allow
>> -A INPUT_ZONES -i em1 -g IN_home
>> -A INPUT_ZONES -g IN_home
>> -A IN_home -j IN_home_log
>> -A IN_home -j IN_home_deny
>> -A IN_home -j IN_home_allow
>> -A IN_home_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
>> conntrack --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5900:5903 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate
>> NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5059:5061 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 1998 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 54925 -m conntrack --ctstate
>> NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 5900:5999 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5298 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 587 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 1998 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 8181 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5222:5223 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 6881:6999 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 6566 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 9090:9091 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 4000:4050 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5900:5999 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 5059:5061 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 3551 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 4848 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 5298 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 5222:5223 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 6881:6999 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5280:5281 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 4000:4050 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 5800:5899 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 3551 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW
>> -j ACCEPT
>> -A IN_home_allow -p udp -m udp --dport 9090:9091 -m conntrack
>> --ctstate NEW -j ACCEPT
>> -A IN_home_allow -p tcp -m tcp --dport 4848 -m conntrack --ctstate NEW
>> -j ACCEPT
>> COMMIT
>> # Completed on Tue Mar 11 10:13:32 2014
>>
>>>
>>>> What am I missing?
>>>
>>> No idea.
>>>
>>> --
>>> Jiri
>>>
>>>
>>> _______________________________________________
>>> firewalld-users mailing list
>>> firewalld-users(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
>>
>
> _______________________________________________
> firewalld-users mailing list
> firewalld-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users