Bug 1161122 - Please include firewalld predefined service and permissions for tinc
Summary: Please include firewalld predefined service and permissions for tinc
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: noarch
OS: Linux
low
low
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-06 12:34 UTC by Răzvan Sandu
Modified: 2015-01-12 15:49 UTC (History)
3 users (show)

Fixed In Version: firewalld-0.3.13-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-06 06:13:02 UTC
Type: Bug


Attachments (Terms of Use)

Description Răzvan Sandu 2014-11-06 12:34:37 UTC
Description of problem:


Tinc (http://www.tinc-vpn.org/) is a popular, cross-distro VPN solution that allows MESH networks. For RedHat family, it is available in Fedora EPEL.

According to documentation, tinc uses port 655 for its VPN interface (http://tinc-vpn.org/documentation/Example-configuration.html), probably both TCP and UDP

In order to allow its speedy usage on a larger number of systems, including production ones, and smooth usage of firewalld systems, please add:

- a specific, predefined service for it under /usr/lib/firewalld/services/
- appropriate permissions, including SELinux, if necessary


Additional info:
http://www.tinc-vpn.org/documentation-1.1/Technical-information.html#Technical-information


Best regards,
Răzvan

Comment 1 Jiri Popelka 2014-12-02 13:57:07 UTC
(In reply to Răzvan Sandu from comment #0)
> According to documentation, tinc uses port 655

Yes, looks like that
# grep tinc /etc/services 
tinc            655/tcp                 # TINC
tinc            655/udp                 # TINC

Comment 3 Răzvan Sandu 2014-12-03 18:05:51 UTC
Thank you very much, that is exactly what we need.

Please see also bug #1155972, whic is related.

Thanks again,
Răzvan

Comment 4 Fedora Update System 2014-12-04 18:45:01 UTC
firewalld-0.3.13-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc21

Comment 5 Fedora Update System 2014-12-04 18:45:35 UTC
firewalld-0.3.13-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc20

Comment 6 Fedora Update System 2014-12-05 00:48:08 UTC
Package firewalld-0.3.13-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.13-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16322/firewalld-0.3.13-1.fc21
then log in and leave karma (feedback).

Comment 7 lnie 2014-12-05 08:37:50 UTC
firewalld-0.3.13-1.fc20 works but firewalld-0.3.13-1.fc21 isn't installable

Comment 8 Fedora Update System 2015-01-06 06:13:02 UTC
firewalld-0.3.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-01-06 06:15:48 UTC
firewalld-0.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Răzvan Sandu 2015-01-12 14:11:32 UTC
Hello,

Tinc VPN daemon (http://www.tinc-vpn.org/) sends/receives packets over 655 UDP.

Similar to openvpn.xml, please add the following standard service to firewalld RPM, with appropriate permissions:


<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>tinc</short>
  <description>tinc is a virtual private network (VPN) solution. It is used to create encrypted mesh tunnels between computers. If you plan to provide a VPN service via tinc, enable this option.</description>
  <port protocol="udp" port="655"/>
</service>


Best regards,
Răzvan

Comment 11 Jiri Popelka 2015-01-12 15:25:00 UTC
Răzvan,
it [1] has been there since firewalld-0.3.13. Have you tried that version ?

[1] https://git.fedorahosted.org/cgit/firewalld.git/plain/config/services/tinc.xml

Comment 12 Răzvan Sandu 2015-01-12 15:49:37 UTC
Hello and thanks,  :)

No, I didn't, since I only have production machines here. I am using CentOS and the version of tinc available in Fedora's EPEL.

The only correction seems to be that only UDP is needed in the service file, similar to present openvpn.xml one.

Thanks again,
Răzvan


Note You need to log in before you can comment on or make changes to this bug.