Bug 1279190 - kde-connect firewalld rule usability
kde-connect firewalld rule usability
Status: NEW
Product: Fedora
Classification: Fedora
Component: kde-connect (Show other bugs)
x86_64 Linux
unspecified Severity low
: ---
: ---
Assigned To: Martin Bříza
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-11-08 08:59 EST by Edward O'Callaghan
Modified: 2017-01-25 17:42 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Edward O'Callaghan 2015-11-08 08:59:34 EST
Description of problem:

The kde-connect package provides firewalld rules but does not make it clear or semi-automatic that the rule needs to be applied before it will work. This will confuse most non-technical users.

Version-Release number of selected component (if applicable):

Fedora 23

 # rpm -q kde-connect

Additional info:

To `fix` the issue one should run:

 # firewall-cmd --permanent --add-service kde-connect
 # firewall-cmd --reload

Ideally upon trying to use kde-connect we should detect if the ports are being blocked, ask dbus???

Comment 1 Rex Dieter 2015-11-10 19:08:40 EST
It all depends on your default firewall zone, whether these extra rules are needed or not.

I'm not aware of any runtime method to determine if ports are blocked/open or not.

Not sure if there's currently much we can do (in kde-connect), maybe firewalld and friends can.
Comment 2 Edward O'Callaghan 2015-11-30 09:29:32 EST

Hi so I worked out how to possibly fix this by using the DBus interface.

$ qdbus --system --literal org.fedoraproject.FirewallD1 /org/fedoraproject/FirewallD1 org.fedoraproject.FirewallD1.zone.getActiveZones

[Argument: a{sa{sas}} {"home" = [Argument: a{sas} {"interfaces" = {"wlp3s0"}}]}]

$ qdbus --system --literal org.fedoraproject.FirewallD1 /org/fedoraproject/FirewallD1 org.fedoraproject.FirewallD1.zone.queryService home kde-connect


$ qdbus --system --literal org.fedoraproject.FirewallD1 /org/fedoraproject/FirewallD1 org.fedoraproject.FirewallD1.zone.addService home kde-connect 10


$ qdbus --system --literal org.fedoraproject.FirewallD1 /org/fedoraproject/FirewallD1 org.fedoraproject.FirewallD1.zone.queryService home kde-connect

How about that? :D

Kind Regards,
Comment 3 Rex Dieter 2015-11-30 09:37:20 EST
We're not allowed to poke holes in firewall automatically... if that's what you're suggesting

We could add a script (that users can run) in the packaging to do it, if you want though.
Comment 4 Edward O'Callaghan 2015-11-30 10:44:19 EST
Well I am not suggesting that exactly. This is a usability bug report.

I am suggesting that kde-connect, as part of its pairing wizard, can determine that the service is not enabled and ask the user if they would like to poke the hole for kde-connect to work. Hence the boolean RPCalls above that demonstrate the query aspects.

At minimum I suggest that kde-connect should query the respective boolean to advice the user that the firewall is not permissive of the required traffic so the user even knows where to look in the first place. Most typically a user will just find kde-connect "does not work" and have a blank expression on their face then give up ;)

Comment 5 Rex Dieter 2015-11-30 10:46:20 EST
OK, if you're suggesting code/UI changes, that would be an excellent suggestion for upstream developers.  We (most likely) will be unable to implement anything like that downstream in fedora ourselves
Comment 6 Edward O'Callaghan 2015-11-30 11:09:29 EST

Can we leave this open and confirmed, I'll file a upstream bug and link it here when I get a moment so if users get confused it is at least a known-issue.

Comment 7 Rex Dieter 2015-11-30 11:15:11 EST
Sure, that's perfectly fine.

And, thanks a lot for your input here.
Comment 8 skierpage 2017-01-25 17:27:54 EST
It would be nice to suggest that users must open ports in the firewall, ideally in KDE Connect itself.  You can enter the command lines in comment 0 or using the Firewall Configuration application check  kde-connect in Zones > Services. I documented the latter in https://community.kde.org/KDEConnect#Troubleshooting , but that still requires the user to search for and find the fix.
Comment 9 skierpage 2017-01-25 17:42:04 EST
(In reply to skierpage from comment #8)
> It would be nice to suggest that users must open ports in the firewall,
> ideally in KDE Connect itself.
I created https://phabricator.kde.org/T5191 , "KDE Connect should warn user if it can't open needed ports", referencing this bug.

Note You need to log in before you can comment on or make changes to this bug.