Bug 1499280
| Summary: | Enabling screen sharing does not correctly set the firewall | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christophe de Dinechin <dinechin> |
| Component: | gnome-remote-desktop | Assignee: | Jonas Ådahl <jadahl> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | dinechin, jadahl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-27 21:23:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Christophe de Dinechin
2017-10-06 15:14:07 UTC
I don't know what firewall-config is, but it's not installed by default, and unnecessary on Fedora Workstation. $ sudo ls -l /etc/firewalld/ total 40 lrwxrwxrwx. 1 root root 26 Oct 29 2015 firewalld.conf -> firewalld-workstation.conf You can double-check that the firewalld Workstation configuration is the default. For which this is the default configuration: $ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Fedora Workstation</short> <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <service name="samba-client"/> <port protocol="udp" port="1025-65535"/> <port protocol="tcp" port="1025-65535"/> </zone> Port 5900 is opened by default. Which method of installation did you use to not get firewalld's Fedora Workstation configuration done correctly? > I don't know what firewall-config is, but it's not installed by default,
> and unnecessary on Fedora Workstation.
It's a GUI to configure the firewall, which is the first thing that shows up if you search for "firewall" in the Software application. I used that only to illustrate that it too is confused by the configuration. The initial steps in my bug description did not use it.
My /etc/firewalld looks similar t yours
[root@crazypad ~]# ls -l /etc/firewalld/
total 40
lrwxrwxrwx. 1 root root 26 Jul 6 00:24 firewalld.conf -> firewalld-workstation.conf
[Plus some others]
My firewalld-workstation.conf looks exactly like yours:
[root@crazypad ~]# cat /usr/lib/firewalld/zones/FedoraWorkstation.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Fedora Workstation</short>
<description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="samba-client"/>
<port protocol="udp" port="1025-65535"/>
<port protocol="tcp" port="1025-65535"/>
</zone>
With firewalld activated, I cannot connect with VNC, and with telnet I get:
ddd@ptitpuce ~> telnet crazypad 5900
Trying 192.168.77.187...
telnet: connect to address 192.168.77.187: Connection refused
telnet: Unable to connect to remote host
ddd@ptitpuce ~>
With firewalld deactivated, I can connect:
[root@crazypad ~]# systemctl stop firewalld
[root@crazypad ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: inactive (dead) since Mon 2017-10-16 10:37:50 CEST; 53s ago
Docs: man:firewalld(1)
Main PID: 17800 (code=exited, status=0/SUCCESS)
Connecting with VNC works. Telnet also:
ddd@ptitpuce ~> telnet crazypad 5900
Trying 192.168.77.187...
Connected to crazypad.dinechin.lan.
Escape character is '^]'.
RFB 003.007
^]
As for the method of installation, that was a regular installation from a USB key, with practically the default parameters for everything, except that on this machine, this is a triple-boot machine (Fedora, RHEL and Win10) with shared partitions for /home and swap between RHEL and Fedora. I have observed the same issue with several other installations. I just tested on Fedora 25, and there it seems to work OK, so it may be a regression since F25.
I guess that the firewall-config application added additional firewall configuration, or firewalld is still badly setup. What's the output of: $ sudo grep -i defaultzone /etc/firewalld/firewalld-workstation.conf on your system? It should say: DefaultZone=FedoraWorkstation This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. The problem still occurred to me during the F28 -> F29 upgrade. # grep -i defaultzone /etc/firewalld/firewalld-workstation.conf DefaultZone=FedoraWorkstation Reopening against F29. The process that shows the misconfiguration is firewall-config. The misconfiguration was applied by the F28->F29 update to a "home" zone I had created for the purpose of "protecting" this particular setting. Obviously, it did not work ;-) Here are the firewall-related things I have installed: firewall-config.noarch 0.6.3-1.fc29 @updates firewalld.noarch 0.6.3-1.fc29 @updates firewalld-filesystem.noarch 0.6.3-1.fc29 @updates python3-firewall.noarch 0.6.3-1.fc29 @updates Here are the VNC-related things I have: gtk-vnc2.x86_64 0.9.0-2.fc29 @fedora gvnc.x86_64 0.9.0-2.fc29 @fedora libvncserver.x86_64 0.9.11-8.fc29 @fedora tigervnc-license.noarch 1.9.0-3.fc29 @fedora tigervnc-server-minimal.x86_64 1.9.0-3.fc29 @fedora vino.x86_64 3.22.0-11.fc29 @fedora This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |