Bug 904336

Summary: Unable to configure Firewall using new GUI in F18
Product: [Fedora] Fedora Reporter: Michael Monreal <michael.monreal>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 18CC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-30 14:12:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Monreal 2013-01-26 11:22:20 UTC 
This report is really about firewall-config, but that package does not seem to have its own component. Please reassign if a better one exists.

The problem about firewalld/firewall-config compared to iptables/system-config-firewall is that I am unable to configure it correctly. I have some background in networking and firewalling, but the new GUI is very confusing and does not work the way I expect. Partly this seems to be caused by the concept of "Zones" which seems to be introduced by firewalld. What are "Zones" and how do they work? 

The GUI looks similar to the old one but it behaves differently. The user is left in the dark and there is no manual.
Comment 1 Michael Monreal 2013-01-26 11:33:41 UTC 
To explain the situation a bit better: I originally wondered why I could not access my DLNA shares. At some point I noticed that the firewall was probably blocking connections, so I first tried to allow these connections. 

1.) There is no end user friendly setting like "allow home media sharing" or something like that.

2.) There is a list of predefined services. I happen to know that I need UPnP/DLNA but sadly this is not in the list.

3.) I looked up the ports and added them manually. Still things did not work so I began to wonder about the Zones but was unable to understand the concept (do I need to allow the ports in multiple zones? Do I need to reload something?)

4.) After experimenting and still not getting any positive result I wanted to disable the firewall. The old GUI had an option for this, the new one does not...

5.) I ended up running "iptables --flush" and things started to work right away, so the problem was definitely related to the firewall. Sadly I did not find any word on the "official" way to disable the firewall permanently.

So in the end I managed to work around the problem but not really solve it. An average user would probably given up much sooner, so this is really a problem I think.
Comment 2 Jiri Popelka 2013-01-30 13:35:32 UTC 
(In reply to comment #0)
> What are "Zones" and how do they work? 

man firewalld.zones
Comment 3 Jiri Popelka 2013-01-30 14:08:33 UTC 
(In reply to comment #1)
> 1.) There is no end user friendly setting like "allow home media sharing" or
> something like that.

proposed feature
https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Port_metadata_information_.28proposed_by_Lennart_Poettering.29

> 2.) There is a list of predefined services. I happen to know that I need
> UPnP/DLNA but sadly this is not in the list.

duplicate of bug #892801 ?

> 3.) I looked up the ports and added them manually. Still things did not work
> so I began to wonder about the Zones but was unable to understand the
> concept (do I need to allow the ports in multiple zones? Do I need to reload
> something?)

You need to change only zone which your connection is in. If you did not change it all connections are in default='public' zone.
Which ports did you add ?
From bug #892801 it seems that one needs to add *source* port 1900, which is not feasible at the moment. We can continue this UPnP related problem in bug #892801.

> 4.) After experimenting and still not getting any positive result I wanted
> to disable the firewall. The old GUI had an option for this, the new one
> does not...
> 
> 5.) I ended up running "iptables --flush" and things started to work right
> away, so the problem was definitely related to the firewall. Sadly I did not
> find any word on the "official" way to disable the firewall permanently.

systemctl stop firewalld.service
systemctl disable firewalld.service
Comment 4 Jiri Popelka 2013-01-30 14:12:09 UTC 
Closing as duplicate of bug #892801 as the inability to allow UPnP is the main problem here too.

*** This bug has been marked as a duplicate of bug 892801 ***
Comment 5 Michael Monreal 2013-01-30 17:13:19 UTC 
Jiri, thansk for your reply. I have read some Wiki pages now, so I finally understand what Zones means. The concept is great, but it's really not intuitive to use. The worst part is that there is no documentation accessible from the GUI. Even a link to the Fedora wiki under "Help" would have saved me a lot of frustration.
Comment 6 Jiri Popelka 2013-01-31 10:14:26 UTC 
(In reply to comment #5)
> Even a link to the Fedora wiki under "Help" would
> have saved me a lot of frustration.

Added:
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=4dbb4e53e5faf4f6219210854b4c59c199655f3d