You are not logged in.
- Topics: Active | Unanswered
#1 2024-12-19 02:12:48
- archexplorer
- Member
- Registered: 2024-12-19
- Posts: 5
[SOLVED] firewalld doesn't appear to be blocking traffic.
I'm testing firewalld by enabling ssh on my client to see if the firewall blocks the port.
I accidentally installed ufw but have uninstalled it.
I installed firewalld and it's components with pacman -Syu firewalld ipset ebtables
I've enabled firewalld with sudo systemctl enable --now firewalld
I'm able to use the GUI and the terminal to make changes to firewalld, and I disabled ssh permanently, and reloaded the tables.
After enabling ssh by running sudo systemctl enable --now sshd, when i run an nmap of my machine, I can see port 22 is open, and when I try to make ssh connections to it, it does ask for a keyfile (I obviously disabled passwords for security purposes).
Can anyone explain too me what is probably happening here?
Last edited by archexplorer (2024-12-19 16:34:39)
Offline
#2 2024-12-19 02:23:06
- archexplorer
- Member
- Registered: 2024-12-19
- Posts: 5
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
For added context, it appears like it's doing nothing, because my KVM windows machine can see the internet.
Offline
#3 2024-12-19 05:35:10
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
[...] it appears like it's doing nothing. [...]
It can't. firewalld creates nftables rules.
pacman -Rsn ipset ebtables
pacman -S nftables iptables-nftOffline
#4 2024-12-19 07:22:25
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,223
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
archexplorer wrote:[...] it appears like it's doing nothing. [...]
It can't. firewalld creates nftables rules.
pacman -Rsn ipset ebtables pacman -S nftables iptables-nft
according to its docs firewalld can use iptables, nftables and ebtables as its backends - so it shouldn't matter which is used
@OP
by default a firewall does nothing because it has no rules to act on - so there's no "default: block all" - for that you have to set the required rules
also: order is important: when you want to allow something the allow rule has to come before any deny rule - as if something is denied first it can't be allowed afterwards
Offline
#5 2024-12-19 08:34:50
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,807
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
nb that nftables might hit you with a simple stateful (and aggressive) firewall set of rules by default, https://wiki.archlinux.org/title/Nftabl … e_firewall
Offline
#6 2024-12-19 13:52:24
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,223
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
in addition to seth:
be aware when using the firewall-cmd frontend with ipv6 - that doesn't work directly but requires rich rules
all regular syntax only work with ipv4 properly
example: if you add a ipv6 to a block list like so it will block all incoming traffic due to this issue
firewall-cmd --permanent --add-source=ipv6
firewall-cmd --reloadthe proper way for ipv6 requires rich rules
Offline
#7 2024-12-19 16:30:09
- archexplorer
- Member
- Registered: 2024-12-19
- Posts: 5
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
Thanks for the help, everyone! But goodness, ignore me. I didn't have access to another machine, and termux was being weird. I found out it was because I was performing an nmap from the local machine, so it was showing me ssh, even though the firewall must have been filtering it. I tested this on a VPS I spun up really quickly, and found when I ran
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --reload / systemctl restart firewalld
And then tried to initiate an SSH session, which I couldn't. In the terminal of the VPS, however, when running an nmap of my IP, I saw ssh still there on port 22.
When running the nmap from my laptop to the vps, the port was closed!
It looks like the firewall is behaving normally.
Last edited by archexplorer (2024-12-19 16:31:49)
Offline
#8 2024-12-20 00:40:10
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,223
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
if you want to play around with local stuff you require some tricks like this:
ipv6 rich rules https://major.io/p/forwarding-ports-with-firewalld/
local stuff https://serverfault.com/questions/10047 … k-redirect
I use this on my mail server to redirect the common ports to some above 1024 to run the mailserver as non-root - and have the netfilter do its stuff
Offline
#9 2024-12-20 05:56:27
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: [SOLVED] firewalld doesn't appear to be blocking traffic.
Off topic:
according to its docs firewalld can use iptables, nftables and ebtables as its backends [...]
Yep - my bad. I installed firewalld on an Arch system without any *tables and it only pulled nftables as a dependency. Wrong assumption.
Offline