I’m so confused. So I have iptables-services package installed and have a working iptables firewall going.
Then I turned on Gnome’s wifi hotspot and saw in journalctl that it adds an NFT table for the shared wifi connection. But when I run systemctl status nftables it says it’s inactive and disabled. I looked through the iptables tables, and there’s nothing from the nft table that the hotspot adds automatically.
I enabled nftables with systemctl start nftables just to see if it picks up and starts processing the hotspot’s table, but I’m not sure how to check this.
Importantly, does Fedora need to have nftables enabled by default for the Gnome’s hotspot nftables masquerading table to work? Weirdly, the wifi hotspot does work without nftables enabled, but I’m getting weird packet drops on my iptables firewall, which may be due to the nftables not working and not picking up the Gnome’s hotspot nftables configuration.
Ok, for those who don’t use firewalld ever since the moment you install Fedora, like ever ever ever, I used RedHat’s docs to test this hotspot’s nftables NAT rule (6.8. Debugging nftables rules Red Hat Enterprise Linux 7 | Red Hat Customer Portal). The nftables hotspot NAT rule does work, the counters show it functions. Notably, nftables.service is inactive during this, which I guess means it is just used to load the ruleset.
In addition, I think I discovered a security vulnerability. When Gnome sets up its wifi hotspot it obviously launches dnsmasq. /etc/dnsmasq.conf shows that you must turn off the TFTP server bundled with the dnsmasq because it’s on by default. Like, who knew you’d be running a TFTP server when you just wanted a Wifi hotspot?
The Wi-Fi Hotspot feature automatically creates the necessary firewall rules for traffic forwarding and masquerading, so adding custom rules is at least redundant if not detrimental.
TFTP related functionality in dnsmasq is disabled by default, even if you enable the Wi-Fi Hotspot.
Read the /etc/dnsmasq.conf, it binds to loopback interface by default, and it says you have to uncomment a line to “disable DHCP and TFTP” on that interface.
I just compiled dnsmasq locally real quick without TFTP, which is so nice and quick thanks to Fedora’s fedpkg. Just for the sake of peace of mind. It looks like Gnome launches dnsmasq specifically ignoring any configuration file, so just better to not even have to worry about anything.