English
Ask Your Question
1

Fedora 25: where is the firewall rule for sshd stored?

asked 2017-04-14 21:05:15 +0000

lovepump gravatar image

Hello all,

I've recently setup a fedora 25 server and I installed the bind-chroot package.

I set up bind over ssh as many folks will.

The name server runs great, zones load and is working: the resolver on the server itself can query the local zone I setup, non-authoritative queries are forwarded to the upstream server and everything is copasetic, until I have another of my machines on my local network try to resolve a name.

The query times out, no servers can be reached. I sniffed the traffic with tcpdump, and the query makes it to the server, which promptly doesn't respond.

If I kill firewalld on the server (ala "systemctl stop firewalld") and then try the query from one of my other local machines again, it works wonderfully! AHA! now I know it is the firewall just dropping the queries from server.

OK! Let us use firewall-cmd or IP tables or whatever to see where the rule for SSHD is stored (because it is working "as packaged") and then explore how to add a rule for local net and dns on port 53, right?

When I use firewall-cmd to explore existing zones and rules there are none. Everything comes back "empty", even the "direct" IPtables access.

OK, so where is the rule for sshd "stored", which I have used to configure the server since it's inception?

thanks

edit retag flag offensive close merge delete

Comments

let me clarify:

  1. With firewall-cmd there are zones displayed, but no rules. Especially not a rule for sshd (in any zone) which I was looking for.

  2. My sentence regarding where the DNS queries were dropped might be confusing. The server (firewalld) is dropping (dns) queries from local clients. These client queries are answered correctly and immediately when firewalld is "driven out of the picture". I do not want to do this. I want an active firewall that allows local DNS queries.

  3. I want to emphasize this is not a "bind/named/dns configuration problem". It rests solely with firewalld.

lovepump ( 2017-04-14 22:55:39 +0000 )edit
1

Assuming firewalldis running, what does the command as follows return? firewall-cmd --info-zone=$(firewall-cmd --get-default-zone). Please add that to your question.

thomaswood ( 2017-04-15 08:48:41 +0000 )edit

Ahh - ok I can see ssh listed as a "service" and not a "port".

I had initially tried "firewall-cmd --zone=FedoraServer --list-ports" in all of the available zones, not just FedoraServer.

thanks.

Perhaps now I should ask, what is the technical difference between a "service" and a "port" in this case?

thanks thomaswood - not sure how to add karma or give you props for the comment.

lovepump ( 2017-04-16 18:47:35 +0000 )edit

A "service" is a set of rules to make things work. Such a rule may need to enable more than one port.

Also, remember the difference between runtime and permanent configuration change.

Also check out --set-log-denied setting. If enabled, the firewall will log to the journalctl

villykruse ( 2018-01-12 17:27:46 +0000 )edit

1 answer

Sort by » oldest newest most voted
0

answered 2018-01-12 16:09:21 +0000

Petr Menšík gravatar image

As stated in the first comment, firewall-cmd can be used to add rules to configuration.

firewallctl command can be used as well. Run following commands as root (prefix them with sudo)

$ firewallctl info zones -a

This will show you active zones with services enabled in them. You want to enable dns service in your active zone. My output is this:

FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client samba-client dns
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Now you know name of your default zone. It should be one of FedoraWorkstation or FedoraServer by default. My zone is FedoraWorkstation, so add dns service.

$ firewallctl zone FedoraWorkstation add service dns

Now try to query your server from the outside. It should give you REFUSED answers from dig

$ dig @yourip localhost. A

If it does work, let's save the firewall configuration to permanent storage

$ firewallctl runtime-to-permanent

Now it should be started again with that service enabled all the time

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
1 follower

Stats

Asked: 2017-04-14 21:05:15 +0000

Seen: 269 times

Last updated: Jan 12