[Solved] Firewalld missing interface

LeftyAce · 2019-12-10 06:15:57

Hi all,

I'm trying to configure firewalld to allow connections to NFS over my usb-c/ethernet port. I have modified the "home" zone to allow nfs and nfs3, and now I need to tell firewalld that my ethernet connection should be on the "home" zone. But firewalld doesn't see my ethernet port in the list of interfaces.

I'm on a laptop with the following interfaces (as reported by 'ip link'):

enp0s31f6
wlp2s0
enp59s0u2u1

enp59s0u2u1 is an ethernet port on a USB-C dock, and is the one I want to use. I can tell netctl-auto to use it, and it works fine, I can connect to the internet through this port. But if I start the firewall-config GUI, the only interfaces listed are wlp2s0 (wireless card) and enp0s31f6 (which isn't connected to anything). Similarly on the command-line I get the following output from firewall-cmd --list-interfaces

#firewall-cmd --list-interfaces
enp0s31f6 wlp2s0

I've tried restarting firewalld (systemctl restart firewalld), but no change.

Any idea why firewalld doesn't detect one of my interfaces?

Last edited by LeftyAce (2019-12-11 06:09:55)

judd1 · 2019-12-10 12:49:00

https://firewalld.org/documentation/

LeftyAce · 2019-12-10 15:51:07

Ok, I thought it went without saying, but evidently not. I've scoured the firewalld website, the man page, and google, and either this scenario isn't addressed or I'm not recognizing it when I see it. If the latter is the case, I would be eternally grateful if you could highlight the section that addresses this issue.

judd1 · 2019-12-10 16:28:09

I have reread the documentation and I cannot realize it either. I'm sorry about that.

The configuration is lost when the firewalld service is restarted:

# systemctl restart firewalld

# firewall-cmd --zone = work --list-services

To make permanent changes:

# firewall-cmd --permanent --zone=public --add-service=http

Last edited by judd1 (2019-12-10 16:51:21)

fukawi2 · 2019-12-11 01:18:44

What happens if you just run `firewall-cmd --zone=home --add-interface=enp59s0u2u1`?

LeftyAce · 2019-12-11 06:09:31

fukawi2, that solved it, thank you! And judd1, the solution was sort of in the man page, I just didn't recognize it :-)

Summary:

firewall-cmd --list-interfaces

requires a zone argument. If none is provided, it lists interfaces assigned to the default zone. Because I had already added the new interface to a _different_ zone, it didn't show up in this command.

firewall-cmd --get-active-zones

DOES show the all active zones, and indicates that my other ethernet card is assigned to the correct zone.

So it looks like firewall-cmd does not have a way to list all interfaces that you _could_ assign to zones. I guess that's up to you to use

ip link

Note: it appears you can add a nonsense interface to a zone:

# firewall-cmd --zone=home --add-interface=fakeinterface
success
# firewall-cmd  --get-active-zones
home
  interfaces: fakeinterface
public
  interfaces: enp0s31f6 wlp2s0 enp59s0u2u1

I'm not sure what the consequences of this would be...

fukawi2 · 2019-12-11 06:12:52

LeftyAce wrote:

I'm not sure what the consequences of this would be...

Nothing would ever match it, so it would just be irrelevant noise. It could be useful to configure a transient interface (eg VPN "tun0" etc).

LeftyAce · 2019-12-11 07:17:58

Oh perfect. The situation I'm dealing with is also a transient interface (a USB-ethernet adapter that's often not present).

Arch Linux

#1 2019-12-10 06:15:57

[Solved] Firewalld missing interface

#2 2019-12-10 12:49:00

Re: [Solved] Firewalld missing interface

#3 2019-12-10 15:51:07

Re: [Solved] Firewalld missing interface

#4 2019-12-10 16:28:09

Re: [Solved] Firewalld missing interface

#5 2019-12-11 01:18:44

Re: [Solved] Firewalld missing interface

#6 2019-12-11 06:09:31

Re: [Solved] Firewalld missing interface

#7 2019-12-11 06:12:52

Re: [Solved] Firewalld missing interface

#8 2019-12-11 07:17:58

Re: [Solved] Firewalld missing interface

Board footer