There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Can you help me with firewalld?

Hello everyone,

I’m looking to increase the security of my computers a bit through firewalld (with the KDE settings). I have a desktop and a laptop, both running Fedora 40 with KDE plasma. I don’t have access to the router’s firewalls etc etc this is only for my machines.

The issue is I’m having a hard time navigating the zones and setting rules the way I want. I don’t wanna deal with switching to UFW and while I generally like CLI stuff I’d prefer to generally stick with the GUI here even though I find it a bit confusing (I will use CLI if necessary tho).

Anyways, let’s get to the point. Firstly the only difference between the laptop and desktop, in terms of use-case, is that on my desktop I’m always connected to my home’s subnet via LAN while on my laptop I often connect to public wifis, so naturally the laptop is a little less secure.

For my use-case I care about 3 network interfaces:

  • tailscale: this is the one I use to ssh into my machines and stuff and I want this to be the only interface which allows me to ssh. This is because not only it allows me to ssh remotely but also I figure is also the most secure way to use ssh as the tailscales team is probably better at security than I am.
  • Proton VPN’s: this I use for gaming, web browsing and seeding Linux ISOs so I’d like settings that block everything without affecting these usecases.
  • normal internet: I almost always have my VPN on but occasionally I don’t for one reason or another and I only use this for web browsing and gaming via steam. Settings I’d like here are essentially the same as ProtonVPN’s but stricter if it makes sense to be stricter, especially on the laptop where it’s likely a public wifi I’m conencting to when I’m not home. If it’s possible I’d also like this interface to be hidden from nmap scans.

I do some light pentesting to learn so there’s also that.

I currently have every relevant connection set to FedoraWorkstation zone by default except I manually tell the laptop to switch to public zone for public wifis (I’d change the default to be public and specify other zones for non-public connections but rn I’m in a period of time when I’m only connecting it to my home network so I wanna figure out this out first).

My question is, which zones should I use and what rules should I implement to make this more secure?

Thanks in advance

bloodfart ,

why do you want to learn a gui for firewalld?

almost all the support and documentation is gonna be using the cli command firewall-cmd.

DeathByDenim ,
@DeathByDenim@lemmy.world avatar

Additionally, the GUI in KDE plasma in System Settings is not entirely reliable. It sometimes makes stuff up about IPv6 rules for example. It seems to be a very light-weight wrapper over the FirewallD DBUS interface.

thayer ,

I can’t provide specific advice for tailscale, but I can share my notes for my own use case, which is for PCs that are safely behind the home firewall. You’d want to adjust your ssh/smb settings accordingly. You shouldn’t need any rules for ProtonVPN, as you’re likely just trying to block incoming connections, not outbound.

It’s my understanding that Fedora opens ports 1025-65535/tcp and 1025-65535/udp by default.

To lock down to sane defaults (–permanent saves the settings directly, avoiding the need to run firewall-cmd --runtime-to-permanent separately):


<span style="color:#323232;">sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
</span><span style="color:#323232;">sudo firewall-cmd --permanent --remove-port=1025-65535/udp
</span><span style="color:#323232;">sudo firewall-cmd --permanent --add-port=27031/udp  # steam remote play
</span><span style="color:#323232;">sudo firewall-cmd --permanent --add-port=27036/udp  # steam remote play
</span><span style="color:#323232;">sudo firewall-cmd --permanent --add-port=27036/tcp  # steam remote play
</span><span style="color:#323232;">sudo firewall-cmd --permanent --add-port=27037/tcp  # steam remote play
</span>

Ensure that ssh and samba-client are listed as allowed services too (sudo firewall-cmd --list-all).

  • Firewalld must be reloaded before rule changes will take effect: firewall-cmd --reload
  • Changes will reset upon reboot unless made persistent by using –permanent or by committing all changes with –runtime-to-permanent

Common commands:


<span style="color:#323232;">sudo systemctl enable --now firewalld   # enable and start firewalld service
</span><span style="color:#323232;">sudo systemctl disable firewalld
</span><span style="color:#323232;">sudo systemctl stop firewalld
</span><span style="color:#323232;">
</span><span style="color:#323232;">sudo firewall-cmd --state               # show running state of firewalld
</span><span style="color:#323232;">sudo firewall-cmd --get-active-zones    # list active zones
</span><span style="color:#323232;">sudo firewall-cmd --get-zones           # list all zones
</span><span style="color:#323232;">sudo firewall-cmd --get-default-zone    # list default zone
</span><span style="color:#323232;">sudo firewall-cmd --list-ports          # list allowed ports in current zone
</span><span style="color:#323232;">sudo firewall-cmd --list-all            # list all settings
</span><span style="color:#323232;">sudo firewall-cmd --reload              # reload firewall rules to activate any rule modifications
</span>

Add/remove ports, services, IPs:


<span style="color:#323232;">sudo firewall-cmd --add-port=port-number/port-type      # allow incoming port  (tcp,udp,sctp,dccp)
</span><span style="color:#323232;">sudo firewall-cmd --remove-port=port-number/port-type   # block incoming port
</span><span style="color:#323232;">sudo firewall-cmd --add-service=<service-name>          # allow incoming service (see /etc/services)
</span><span style="color:#323232;">sudo firewall-cmd --remove-service=<service-name>       # block incoming service (see /etc/services)
</span><span style="color:#323232;">sudo firewall-cmd --add-source=192.168.1.100 (or 192.168.1.0/24)    # whitelist incoming IP or IP range
</span><span style="color:#323232;">sudo firewall-cmd --remove-source=192.168.1.100 (or 192.168.1.0/24) # remove whitelisted IP or IP range
</span>

Block an IP or IP range (rich rules):


<span style="color:#323232;">sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
</span><span style="color:#323232;">sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
</span>

Whitelist IP for specific port (rich rule):


<span style="color:#323232;">sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
</span>

Removing a Rich Rule


<span style="color:#323232;">sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
</span>
gwilikers ,

This is great, thank you.

cmgvd3lw ,

Regardless of the zone your use, you can always add/remove services or ports. You can bind the interface like localhost, lan, wire guard etc. to the zone you want.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •