You are not logged in.

#1 2023-02-21 13:41:54

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Question regarding firewalld setup/configuration

Hello everyone,
I am on KDE with plasma-firewall and firewalld installed.

By default it used "zone" public wich "denies incoming" and "allows outgoing".
So this means that nothing from the outside can access my laptop (e.g. if I SMB share some folders, no one in the network will be able to see them)?
At the same time, I should be able to access everything (e.g network printers, SMB shares folders on other devices, torrent downloads,...)?

I can add/allow services e.g. samba and samba-client.
I guess samba refers to the samba-server (as if I want to create a shared folder on my device to share with others) and samba-client refers to the app thats allows me to access other shared folders in the network?
In this case I won't even need to allow samba-client because all the "outgoing" is allowed anyway?

Basically I only need to allow packages that act like a "server" on my device e.g.:
Torrent client to seed
Media Server (minidlna, mpd,...)
SMB Shared Folder on my device
SSH Server
FTP Server
Printer Re-sharing
Syncthing
OpenVPN Server
...
?

But the client functions should work already, e.g.:
Torrent client to download
Connecting to other media servers
Connecting to smb shared folders
SSH client
FTP Client
Accessing network printers
OpenVPN Client
...
?

Am I understanding this correctly?

Thanks in advance!


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#2 2023-03-17 06:39:20

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Re: Question regarding firewalld setup/configuration

Huh, really - no one? :S


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#3 2023-03-17 17:21:55

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,268

Re: Question regarding firewalld setup/configuration

Utini wrote:

Huh, really - no one? :S

Don't do that.  Tell us more information, tell us what you have read since your last post.
I have a note that you may be running Parabola.  Is that true?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#4 2023-03-18 10:06:02

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Re: Question regarding firewalld setup/configuration

ewaller wrote:
Utini wrote:

Huh, really - no one? :S

Don't do that.  Tell us more information, tell us what you have read since your last post.
I have a note that you may be running Parabola.  Is that true?

Okidoki - sorry.

Regarding your note:
Interesting that you have that noted yikes
But not, I am not using parabola and also never used it before.
I had the parabola repo added to use their version of firefox, geoclue, webkit,..
But that was ages ago.

Regarding the firewall:
From what I read in the mean time, my assumption seems to be correct. But I am still unsure.
At home I am behind a configured router.
But in public wifis I might be vulnerable without a firewall.


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#5 2023-03-19 12:36:07

-thc
Member
Registered: 2017-03-15
Posts: 749

Re: Question regarding firewalld setup/configuration

Utini wrote:

Basically I only need to allow packages that act like a "server" on my device e.g.:
Torrent client to seed
Media Server (minidlna, mpd,...)
SMB Shared Folder on my device
SSH Server
FTP Server
Printer Re-sharing
Syncthing
OpenVPN Server

[...]

At home I am behind a configured router.
But in public WiFis I might be vulnerable without a firewall.

I think I finally understood the root cause of your questions.

The "serving list" of your PC (which - according to your signature - is a notebook) reads like your PC is acting like a small workgroup server at home. If you take this PC on a ride you use it as a mobile client but then it's too exposed in a public Wi-Fi.

I see several possibilities with pros and cons:

1. Have you considered building a physical server or using a NAS? Depending on the transfer speeds this may even be something like a Raspberry Pi.
2. Use a dedicated network device. If your notebook doesn't have a LAN port you may consider a docking station or a USB LAN adapter. Bind your services only to this adapter and/or use a firewall profile.
3. Switch between dedicated firewall profiles ("home" and "public").

Offline

#6 2023-03-19 19:27:35

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Re: Question regarding firewalld setup/configuration

-thc wrote:
Utini wrote:

Basically I only need to allow packages that act like a "server" on my device e.g.:
Torrent client to seed
Media Server (minidlna, mpd,...)
SMB Shared Folder on my device
SSH Server
FTP Server
Printer Re-sharing
Syncthing
OpenVPN Server

[...]

At home I am behind a configured router.
But in public WiFis I might be vulnerable without a firewall.

I think I finally understood the root cause of your questions.

The "serving list" of your PC (which - according to your signature - is a notebook) reads like your PC is acting like a small workgroup server at home. If you take this PC on a ride you use it as a mobile client but then it's too exposed in a public Wi-Fi.

I see several possibilities with pros and cons:

1. Have you considered building a physical server or using a NAS? Depending on the transfer speeds this may even be something like a Raspberry Pi.
2. Use a dedicated network device. If your notebook doesn't have a LAN port you may consider a docking station or a USB LAN adapter. Bind your services only to this adapter and/or use a firewall profile.
3. Switch between dedicated firewall profiles ("home" and "public").

Hi, well yes basically a small workgroup server with basic services running (samba, printer share, whatever).
So in a random public wifi I could expose all that freely to others.

I have a 500/110mbit connection at home and run a OpenVPN server on my router.
I use that OpenVPN usually when at an public network.
So yes, I am already following your solution #1. But that causes a bit more battery drain and slows down the network.
Your solution #3 is what I was thinking about.

Regarding #3:
So basically use a firewall and have two profiles: home and public
Use "home" whenever I am in a safe network (e.g. home or at work).
Use "public" everywhere else.
I guess "home" basically doesn't restrict at all, kinda like not having a firewall at all.
While "public" denies everything from the outside that wants to access my laptop while allowing everything from my laptop to go outside?


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#7 2023-03-20 03:09:15

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,268

Re: Question regarding firewalld setup/configuration

Utini wrote:

Regarding your note:
Interesting that you have that noted yikes
But not, I am not using parabola and also never used it before.
I had the parabola repo added to use their version of firefox, geoclue, webkit,..
But that was ages ago.

Note removed.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#8 2023-03-20 06:25:32

-thc
Member
Registered: 2017-03-15
Posts: 749

Re: Question regarding firewalld setup/configuration

Utini wrote:

Your solution #3 is what I was thinking about.

Those two zones already exist in firewalld's default configuration: "trusted" and "public" - the latter only allowing DHCPv6 and SSH. I can't say anything about plasma-firewall.

Last edited by -thc (2023-03-20 06:31:30)

Offline

#9 2023-03-20 09:58:37

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Re: Question regarding firewalld setup/configuration

Alright, sounds exactly what I want.

I installed firewalld and plasma-firewall.
Plasma-firewall just acts as a GUI for integration into KDE.

According to "firewall-cmd --list-all-zones" several zones are more or less the same:

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp5s0u1u3u4
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Basically:
home = internal
public = work
.. and then there is external and trusted.

1. Basically I would use public as automatic default zone for every new network that gets connected?
2. For my home network I will use "home". That should allow all connections,port forwarding,... basically just the same as if no firewall would be enabled?
3. Which firewall zone should I use for my OpenVPN connection? Home as well or public?

Ofcourse I could further configure the zones if recommended.
Those are the standard settings:

public:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp5s0u1u3u4
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home:

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Last edited by Utini (2023-03-20 09:59:08)


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#10 2023-03-20 10:45:20

-thc
Member
Registered: 2017-03-15
Posts: 749

Re: Question regarding firewalld setup/configuration

Utini wrote:

1. Basically I would use public as automatic default zone for every new network that gets connected?

That's a good idea.

Utini wrote:

2. For my home network I will use "home". That should allow all connections,port forwarding,... basically just the same as if no firewall would be enabled?

No - this zone only allows the listed services. "trusted" allows everything.

Utini wrote:

3. Which firewall zone should I use for my OpenVPN connection? Home as well or public?

If you did setup your VPN as a full tunnel (your VPN endpoint is the default gateway and everything will be routed through the tunnel) you can also use "trusted". In case of a split tunnel VPN that would be unwise.

Offline

#11 2023-03-20 11:47:51

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Re: Question regarding firewalld setup/configuration

Thanks! smile I actually use a split tunnel VPN:
All traffic is going through VPN except two IP's from my office that can only be connected via local connection.

So I guess "Public" is the right zone for my OpenVPN profile then.
Alternatively I could add another OpenVPN profile which doesn't have the split tunnel configured and uses zone "trusted".
I could then bind "Work VPN" with "public" to my work network and all other networks get the "Full VPN with "trusted".


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#12 2023-03-24 07:00:47

Utini
Member
Registered: 2015-09-28
Posts: 476
Website

Re: Question regarding firewalld setup/configuration

Follow up question:
Which zone should the "loopback" interface (lo) have?
Shouldn't this be trusted as well? By default it is public.


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

Board footer

Powered by FluxBB