Join Log in
Score:0
elliotta avatar Server

Debian 11 firewalld+nftables rules not taking effect

tz flag
elliotta

Update: after commenting out the line in /etc/hosts that is kinda like

#127.0.1.1  my-host.domain.edu  my-host

and rebooting, the firewall does open the expected ports. I thought to do this because, during testing with the firewall down, binding to host '' was able to accept connections, but binding to the host my-host did not (because that was only binding to 127.0.1.1, not my external address).

I do not understand why this should change how firewalld acts, especially when I had specified which interface the rules should apply to.

Original post:

I have a Debian 11 server (not running NetworkManager) that I am attempting to open ports on using firewalld, using the same commands I have used successfully on other machines, and running them with and without --permanent. I can see these rules in nft list ruleset. But I cannot access the servers on this machine; VNC Viewer says "The connection was refused by the computer", and I get the same result when running a python echo server on port 11000 (so it's not just a VNC problem). I tried explicitly adding the interface to firewalld but that didn't change anything. I have rebooted the machine, that did not change anything. Why are these ports not open?

:~> sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp4s0f0
  sources: 
  services: dhcpv6-client http https ldap ldaps nfs postgresql rsyncd ssh vnc-server
  ports: 1024-65535/tcp 1024-65535/udp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

:~> sudo nft list table inet firewalld
table inet firewalld {
    chain raw_PREROUTING {
        type filter hook prerouting priority raw + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . iif oif missing drop
    }

    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PREROUTING_ZONES
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "enp4s0f0" goto mangle_PRE_public
        goto mangle_PRE_public
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        jump filter_INPUT_POLICIES_pre
        jump filter_INPUT_ZONES
        jump filter_INPUT_POLICIES_post
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_FORWARD_POLICIES_pre
        jump filter_FORWARD_IN_ZONES
        jump filter_FORWARD_OUT_ZONES
        jump filter_FORWARD_POLICIES_post
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "enp4s0f0" goto filter_IN_public
        goto filter_IN_public
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
    }

    chain filter_FORWARD_IN_ZONES {
        iifname "enp4s0f0" goto filter_FWDI_public
        goto filter_FWDI_public
    }

    chain filter_FORWARD_OUT_ZONES {
        oifname "enp4s0f0" goto filter_FWDO_public
        goto filter_FWDO_public
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_public {
        jump filter_IN_public_pre
        jump filter_IN_public_log
        jump filter_IN_public_deny
        jump filter_IN_public_allow
        jump filter_IN_public_post
        meta l4proto { icmp, ipv6-icmp } accept
    }

    chain filter_IN_public_pre {
    }

    chain filter_IN_public_log {
    }

    chain filter_IN_public_deny {
    }

    chain filter_IN_public_allow {
        tcp dport 22 ct state { new, untracked } accept
        ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
        tcp dport 80 ct state { new, untracked } accept
        tcp dport 443 ct state { new, untracked } accept
        tcp dport 389 ct state { new, untracked } accept
        tcp dport 636 ct state { new, untracked } accept
        tcp dport 2049 ct state { new, untracked } accept
        tcp dport 5432 ct state { new, untracked } accept
        tcp dport 873 ct state { new, untracked } accept
        udp dport 873 ct state { new, untracked } accept
        tcp dport 5900-5903 ct state { new, untracked } accept
        tcp dport 1024-65535 ct state { new, untracked } accept
        udp dport 1024-65535 ct state { new, untracked } accept
    }

    chain filter_IN_public_post {
    }

    chain filter_FWDO_public {
        jump filter_FWDO_public_pre
        jump filter_FWDO_public_log
        jump filter_FWDO_public_deny
        jump filter_FWDO_public_allow
        jump filter_FWDO_public_post
    }

    chain filter_FWDO_public_pre {
    }

    chain filter_FWDO_public_log {
    }

    chain filter_FWDO_public_deny {
    }

    chain filter_FWDO_public_allow {
    }

    chain filter_FWDO_public_post {
    }

    chain filter_FWDI_public {
        jump filter_FWDI_public_pre
        jump filter_FWDI_public_log
        jump filter_FWDI_public_deny
        jump filter_FWDI_public_allow
        jump filter_FWDI_public_post
        meta l4proto { icmp, ipv6-icmp } accept
    }

    chain filter_FWDI_public_pre {
    }

    chain filter_FWDI_public_log {
    }

    chain filter_FWDI_public_deny {
    }

    chain filter_FWDI_public_allow {
    }

    chain filter_FWDI_public_post {
    }

    chain mangle_PRE_public {
        jump mangle_PRE_public_pre
        jump mangle_PRE_public_log
        jump mangle_PRE_public_deny
        jump mangle_PRE_public_allow
        jump mangle_PRE_public_post
    }

    chain mangle_PRE_public_pre {
    }

    chain mangle_PRE_public_log {
    }

    chain mangle_PRE_public_deny {
    }

    chain mangle_PRE_public_allow {
    }

    chain mangle_PRE_public_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }
}
329
1 + 0
Score:0
elliotta avatar Server
tz flag
elliotta

Commenting out the following line from /etc/hosts and then rebooting with firewalld enabled resulted in the firewalld opening ports as expected.

#127.0.1.1 my-host.domain.edu my-host

I am surprised that this affected the firewall settings, especially when I had set the appropriate interface for zone public and do not understand why this fixed it. But the firewall now works as expected.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.