Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Firewalld not configuring nft...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1523
Location: Fayetteville, NC, USA

PostPosted: Thu Jul 02, 2020 4:47 pm    Post subject: Firewalld not configuring nft... Reply with quote

Two years after being forced to dump iptables and use nftables it appears as though Firewalld still does not properly configure nft despite this being the direction Redhat forced us to go. How can I make Firewalld either completely ignore nftables and use iptables or make it work correctly with nftables? I need a firewall. Windows does this VERY well and prior to somebody falling in love with nft, Firewalld did this quite well also.

Here is what I get after connecting to my home wireless network in nft.
Code:

sudo nft list table ip firewalld
Password:
table ip firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                goto nat_PREROUTING_ZONES_IFACES
        }

        chain nat_PREROUTING_ZONES_IFACES {
                iifname "wlp12s0" goto nat_PRE_home
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                goto nat_POSTROUTING_ZONES_IFACES
        }

        chain nat_POSTROUTING_ZONES_IFACES {
                oifname "wlp12s0" goto nat_POST_home
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_PRE_home {
                jump nat_PRE_home_pre
                jump nat_PRE_home_log
                jump nat_PRE_home_deny
                jump nat_PRE_home_allow
                jump nat_PRE_home_post
        }

        chain nat_PRE_home_pre {
        }

        chain nat_PRE_home_log {
        }

        chain nat_PRE_home_deny {
        }

        chain nat_PRE_home_allow {
        }

        chain nat_PRE_home_post {
        }

        chain nat_POST_home {
                jump nat_POST_home_pre
                jump nat_POST_home_log
                jump nat_POST_home_deny
                jump nat_POST_home_allow
                jump nat_POST_home_post
        }

        chain nat_POST_home_pre {
        }

        chain nat_POST_home_log {
        }

        chain nat_POST_home_deny {
        }

        chain nat_POST_home_allow {
        }

        chain nat_POST_home_post {
        }
}

As you can see, it does NOTHING to protect me despite the "Home" zone being configure to allow Samba, mdns, and a few other basics in. When this was iptables it did indeed work correctly. However, nothing I do makes it go back to iptables, so for well over a year I have had no firewall.

I know I can script iptables and spend a lot of time manually running scripts but the entire point of Firewalld was to automate everything. Setup a few zones, assign zones to individual connections, and when said connections come up I have the proper things allowed and nothing else.

How can I get something working?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1523
Location: Fayetteville, NC, USA

PostPosted: Sat Jul 04, 2020 7:37 pm    Post subject: Reply with quote

I figured it out. I had to remove nft from the default runlevel, rebuild, and then add it to default again. Now it starts BEFORE NetworkManager and Firewalld. Now it is configured and I can see that it is doing filtering. Works like a charm!

Something with the original init script was making it start AFTER the firewall service, and that means it is blank. I also read a lot of information on the RedHat site and at one point it was stated that Firewalld and nftables should not be run at the same time, but the info was old. I believe a lot of what I read was outdated and added to the confusion.

We are good now. This was likely a combination of being out of date (I just did over a year of updates, I was really bad!) and lots of bad info and problems from the change in the first place. I hope this helps somebody else in the future.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum