Is my firewall working correctly? How can you tell? Please help to understand it

Hi all

First of all, I have to tell you that I am a total Linux noob, I have installed fedora for the very first time a week ago. This is my dekstop PC, home use. Since then I installed some apps, and extensions, everything seems nice, and seems to be working. I like it!
(-actually I have installed everything twice… rookie mistakes… first Windows on a different SSD saparately, both Linux and Windows GPT table, UEFI mode, using rufus for both)
Grub is working, all booting.
But!
I am not convinced, that my Linux firewall actually working as it should -or doing anything at all.
After installing fedora 38 Workstation, firewall was in an inactive dead? state, so I installed it from terminal. (2x for tests…) It has added the graphical GUI, I can make settings from the GUI or from terminal. When I hit “Panic mode” I got no connection to the internet.

This is what current staus looks like:

sudo firewall-cmd --state
running

firewall-cmd –list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0 lo
  sources: 
  services: dhcpv6-client mdns
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset>
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sun 2023-05-07 18:20:54 UTC; 37min ago
       Docs: man:firewalld(1)
   Main PID: 812 (firewalld)
      Tasks: 4 (limit: 19043)
     Memory: 57.0M
        CPU: 1.189s
     CGroup: /system.slice/firewalld.service
             └─812 /usr/bin/python3 -sP /usr/sbin/firewalld --nofork --nopid

I have changed the:
zone to public both interfaces (lo is local IP 127.x.x.x.),
removed SSH from services,
and changed forward: from yes to no, - not completely sure what this is

I am readig the documentation, and articles for this firewall for days, and I am kind of stucked with it. I wanna see it working, before I can trust it, thats all…
I tried to check it with some port checking websites, no open port found. - my router is in between so this “check” has no use.

netstat: seems useless, as it only indicates the outgoing port number (which are all allowed in this firewall by principle if I am correct), and the foreign incoming which is on the other Computer somewhere far far away…
I can see the given 43201 Qbittorent port in netstat LISTENING, but that would be always the case, as “LISTENING” means it wanna connect, but it didn’t yet connected.
There are “ESTABLISHED” connection for Qbittorent, but I can not see this given 43201 port number, as it showing only the local outgoing port, and the incoming port of the other mashine somewhere.

Questions:
1, Does my firewall status/settings seem right?
2, How can firefox still connect to the internet, if I remove the two above services (dhcpv6-client and mdns)?
3, Do I understand correctly, this firewall leting everything out of my PC, and controls only the incoming traffic? -is it really?
4, Why do I have an “lo” interface? This is some kind of local loop, could this causing something? -maybe because of Tor Browser installed?! -I can see an active traffic going on it.

5, How can Qbittorent indicate “Connection Status” “Active” with the above settings, without opening the given port for it? (-upnp disabled)
It says “- Successfully listening on IP. IP: “xy:xy:xy:%enp3s0”. Port: “TCP/43201”

6, Should I check “Lockdown” in GUI Options? (locks firewall configuration?!, there is a whitelist for lockdown by default)
7, Do I understand nestat correctly? Is there any way to see the incoming (local) port number of a working connection?

:smiley: Thanks for reading it!
I appreciate the help!

Mostly yes.

The loopback interface restriction is pointless at best, and can backfire at worst.

It can be useful when the host is configured as a router with ingress and egress interfaces in the same zone, otherwise it should be safe to disable.

You can test it with Nmap in a VM, or from another host on your local network.

mDNS is part of zeroconf setup used for name resolution and service discovery on the local network, it is unrelated to traditional DNS.
DHCPv6 client helps obtain and renew DHCPv6 leases, it is unrelated to DHCPv4 and SLAAC.

Yes, the current threat model expects the installed services and apps are trusted.
Testing and running untrusted software is best to perform in a properly isolated VM.

This is normal and often essential.

Probably it does not check whether the port is actually reachable or not.
Firewall cannot stop services and apps from binding local ports.

Sure you can try, it works fine for me in CLI.

To tell the truth, netstat is a legacy tool along with ifconfig, route, etc.

sudo ss -anpAinet | grep -e transmission

See also:

2 Likes

Hi Vladislav,
Thanks for the long answer, I am on it!
Just to clarify some things;

Does this mean, that pretty much everything installed on my fedora system on the normal way (not specifically isolated, just installed from the respitories or manually), has access to the internet in and out on whatever port they want?
And with this, if an installed app like a browser or torrent client opens an incoming port for a foreign PC, this foreign PC can also get in on whaever port my app opened for it? Beause everything is trusted by default in the system?
This is the reason why Firefox could still connect without any services or forwarded ports!?:bulb:
OK, I think I misunderstood the whole concept. - and I dont like it :slight_smile:
Yes, I am coming from Windows system, so my brain is still in Windows mode :laughing:
Can I install a proper firewall? is ufw any good?

Not exactly as binding the well-known ports requires superuser privileges, and there are additional SELinux related restrictions for system services.

Yes, this is basically how network communication it is designed to work.
The firewall utilizes connection tracking to remember the source/destination host/port and accept incoming replies to established connections, see:

sudo dnf install conntrack-tools
sudo conntrack -L

Yes, it’s due to permissive policy/rules for outgoing and established connections.

If you need an application level firewall, there’s a more suitable thread.

That’s unlikely as UFW relies on legacy tools and it’s conceptually less advanced than firewalld.
Fedora Workstation/Server preinstalls firewalld and integrates it with SELinux and other system services including network sharing and virtualization, which may not work well with UFW.

Hi,
I am tring to set up some of this tools, and I got some noob questions :slight_smile:
A little off topic though:
Should/could I use the system included “Boxes” app to create a virtual machine for nmap?
Is flathub and flatseal safe to use to create a sandbox for apps I wanna have more control over? If so, why are they marked as “UNSAFE” in Software GUI?
To be honest this scares me a litlle as a neewbie Linux user, especially with the philosophy of firewalld “everything you installed is trusted by default”.

This should be the easiest option.
The next recommended solution is virt-manager.

Sorry, I use neither Flatpaks nor GNOME Software, but as far as I know, this is a huge topic deserving a separate thread.

Perhaps it is relatively less safe compared to the Fedora-owned/controlled repos.

This is part of UNIX concept with strict separation of user and admin roles.
Software installation is potentially dangerous and requires a certain level of competence.
Users are not allowed to perform admin level tasks that can harm the system.

Interesting thread.

Good that you disabled SSH, because this open port assumes that all user accounts are protected with a very good password or password authentication is disabled.

Note that your internet provider’s router might be equipped with a firewall doing in essention the same: deny all incoming and allow all outgoing.

I do not use bittorent, but if I understood correctly: for some speed you should share your downloads with the outside world, so that means opening a port in the Fedora firewall and in the router. UPNP means that the application can open ports, as far I know this is fortunately not implemented in firewalld but could be (should not) enabled in the router.

I did not know opensnitch. Given the fact that users e.g. press buttons too fast in phishing mails, notification of unknown programs connecting to internet is not bad. But I cannot find it in the Fedora repositories yet, so manual installation is required and not recommended unless you completely trust the authors.

dhcpv6 client could be necessary if your provider supports IPv6 and provides information from a DHCPv6 server. Not yet essential since almost all sites still provide IPv4 addresses, but that might change in future. I think you can safely leave this enabled.

So what should be the desired settings for it?
I can’t remember what was the inicial, before I started to modify it (perhaps FedoraWorkstation?)
Is this OK now?:

sudo firewall-cmd --list-all-zones
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: dhcpv6-client mdns samba-client
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client mdns
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
...

Why does it matter what zone I set for it, as it is working with system processes only, so all of them are trusted by default, therefore no restriction? - I am just trying to understand the logic

The default firewalld config does not restrict the loopback interface.

sudo firewall-cmd --permanent --zone=FedoraWorkstation --remove-interface=lo
sudo firewall-cmd --reload
sudo firewall-cmd --get-active-zones

It depends on the order of prohibitive and permissive nftables rules generated by firewalld.
To be clear, this is not a supported use case, so even though it currently works, you can blame no one if it breaks after some update due to a change in implementation logic.

sudo firewall-cmd --get-active-zones
public
  interfaces: enp3s0 lo

I changed the default zone to public as well…
In the GUI I can change only between the given zones, no option for “no zone”

its maybe “trusted”?

trusted
All network connections are accepted.

Hmm another rookie mistake I guess :slight_smile: Maybe easier to uninstall, remove config file somehow (it stayed in the system last time I tried) and install it back.
EDIT: I reinstalled only the GUI “firewall-config”

Historically, Linux software development often prioritizes the CLI over the GUI, so it is not surprising that GUI may receive less attention from users and developers, leading to GUI-specific issues.

The screenshot on the main site does not list the loopback interface, so this can be a bug in the current GUI version.

If you analyze the generated rules, it is clear that assigning the loopback interface to any zone makes no sense as there are built-in permissive rules preceding zone processing:

for CHAIN in INPUT OUTPUT FORWARD; do \
sudo nft list chain inet firewalld filter_${CHAIN}; done

Perhaps the developers are not aware of this problem, or do not consider it critical enough to require urgent fixing, but you can open an issue if you are concerned about it.

On my GUI (version 1.3.1), there is a separate (lo) interface, maybe thats an old picture. I can set individually on the GUI as well.
Maybe not the best idea to delete the config file, as it commes with the fedora system I think.
This is the reason I got a “FedoraWorkstation” zone?! I think by removing the config, and reinstallig firewall, would install only the the factory default settings, without this " FedoraWorkstation" zone, and who knows what else!? - no idea but let just slow down a bit…

Yes I am concerned, and I wanna fix my firewall…
Thanks for all the help!

So, anyone who has fedora 38 Workstation, with default settings for the firewall, please take a look, and tell me the settings for “lo (lo)” interface! THX

There is an option for use with firewall-cmd to reset everything to default.
firewall-cmd --reset-to-defaults

As I understand it that resets everything to the original default and removes any custom config the user may have done.

firewall-cmd -h gives many many options with short descriptions that one may use to learn about managing the firewall & it seems the above command may allow recovery when an error is made.

Hi,
I tried it, but it seems it resets only the zone settings, not the whole configuration.

firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: dhcpv6-client samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
...

Can I repair the system without a full reinstall? Would that overwrite/restore all firewall config?

EDIT:
I reinstalled the whole system, again :slight_smile:
This time I did not install the GUI for the firewall…
I had to set the default zone to public to make the changes permanent for some reasons.

Anyway, the current state:

sudo firewall-cmd --get-active-zones
public
  interfaces: enp3s0

sudo firewall-cmd --list-all-zones
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client mdns
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

...

No sign of the “lo” interface anymore. :smiley: What an achievement…
So I will test the connections as discussed before, first I need to study what you linked before.

Do not worry about this “lo” interface, it’s only for use within the machine. It has address 127.0.0.1, and there is no router which is accepting this address, There is no traffic on the internet with 127.0.0.1 as source or destination address. If I see correctly with nftables, the firewalld backend, there are special default rules to allow everything from and to lo, to prevent applications no longer working. If I assign lo to “block” zone, I can just ssh to localhost, so it does not work and makes no sense.

If I remember correctly, the lo interface is not long ago added to the firewall-config GUI, but I can’t find back why and I do not know because traffic is accepted before the zones are evaluated.

1 Like

This may sound unrelated to the topics specifics, however that being said I think that I learned here that beginning to setup a strong and powerful defense in cybersecurity, one must understand threat modeling and how to apply that to their specific use case in order to establish proper firewall restrictions and iptable configurations. Correct me if I am wrong, even if SANS white paper says block this or remove this ports. It’s still imperative to keep in mind an actual threat modeling framework to be successful in creating firewall zones.

1 Like

You are correct. Remember that the white paper is suggestions for average (or at least specific to the author) conditions; do not fit every use case and may impact some users negatively.

Every situation requires its own use threat model be developed to fit the needs of the user.

Thank you for filling me in!
You’re a great help Jeff V.