On 25 February 2016 at 11:48, Timothy Murphy <gayleard@xxxxxxxxxx> wrote:
This is the polkit configuration for it. Again I go into detail on the blog article but the default configuration is that if not root it requests admin credentials to reload (or even view some stuff).Richard Shaw wrote:
> On Tue, Feb 23, 2016 at 7:31 AM, Timothy Murphy <gayleard@xxxxxxxxxx>
> wrote:
>
>> I see that I have to open ports 1714-1764, TCP and UDP.
>> I'm running firewalld on the laptop.
>> I give the command "firewall-config" and authenticate.
>> Clicking on zone "internal" I see that kde-connect is ticked.
>> And when I go to Ports I see that ports 1714-1764 are listed, TCP and
>> UDP. And all this remains set if I reboot.
> Let's try the simple stuff first... Is your default zone for your network
> connection also "internal"?
Thank you very much.
That was indeed the issue.
After changing the default zone to "internal" everything works fine.
I'm still curious about this ... if you look at the underlying iptables rules with iptables -vnL you'll see traffic on localhost is ALLOW before any zone stuff is checked:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
In fact if you firewall-cmd --list-interfaces you'll see that lo is not bound to any zone (which is sensible given the policy above... otherwise it'd be misleading as zone would never be jumped to for it).
But I don't understand the reasoning behind this.
This use of the term "zone" seems to me misleading and bizarre.
I run shorewall on my home server, and there the "zone"
can be "net", "local", etc.
Any changes made to a particular zone come into effect
on restarting shorewall.
It would not make sense in this context to choose a "default zone".
I've always hated the term "zone" in firewalld - it's very misleading given how it's used elsewhere and the default zones that you can't remove make it worse.
I did go into detail on it here though that may help: https://www.hogarthuk.com/?q=node/9
The short of it is the zone name is a label and most of the zones are not in use and will rarely if ever be in use in most installs.
You can apply rules to that label (and they will not be persistent unless --permanent is used, in which case runtime won't be affected, or the runtime is persisted with --runtime-to-permanent) and that label can be bound to an interface or to a source network address.
In addition NetworkManager can be configured to apply a zone to a connection profile so you could have work always use the 'work' and $cafe use 'public' based on their different connection profiles (based on SSID).
The 'default' zone is just the rules used if no other zones have configurations that match that interface or source network.
Incidentally, restarting firewalld does not seem to me to work properly,
as a window comes up asking for authentication.
I don't recall any other service requiring this,
and it would seem to prevent remote restarting.
Keep in mind the polkit policy for firewall-cmd --reload behaviour is distinct and separate from a systemd polkit policy limiting systemctl <action> <unit> to admin users.
In terms of remote restarting polkit will only use a GUI prompt if a display is detected, otherwise it'll have a text based authentication interaction.. and again this is only if not root.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
