Created attachment 1216453 [details] Log file of an attempted connection Description of problem: connecting to a VPN PPTP server is impossible with firewalld activated Version-Release number of selected component (if applicable): 0.4.3.3-1.fc24 How reproducible: allways Steps to Reproduce: 1. Try to connect to a VPN PPTP server 2. LCP: timeout sending Config-Requests (see log) 3. Connection is not sucessful Actual results: no connection to the VPN PPTP server Expected results: connection to the VPN PPTP server Additional info: the connection is successful if firewalld service is stopped; the same configuration worked fine with Fedora 22 (not tested in Fedora 23); tried to load nf_conntrack_pptp and nf_nat_pptp kernel modules but did not solve the problem
Please have a look at firewalld version 0.4.4.1. This will be available in testing soon and should fix this issue.
firewalld-0.4.4.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d2828a4793
firewalld-0.4.4.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8d90406113
firewalld-0.4.4.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c57b0ba2d4
firewalld-0.4.4.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d2828a4793
firewalld-0.4.4.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c57b0ba2d4
firewalld-0.4.4.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8d90406113
firewalld-0.4.4.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
I'm sorry, but I installed firewalld-0.4.4.1-1.fc24 and it did not fix the bug. I still got the message "LCP: timeout sending Config-Requests" and connection is unsuccessful. Again, if the firewall is disabled, connection is successful.
Like Alexandre above, I installed firewalld-0.4.4.1-1.fc24 and it has not fixed this issue. If net.netfilter.nf_conntrack_helper = 1 (see https://bugzilla.redhat.com/show_bug.cgi?id=1373014, which I raised), then making a VPN pptp connection works fine. However, if net.netfilter.nf_conntrack_helper = 0, then the connection times out. This behaviour is exactly the same as the previous version of the firewall (which on Fedora24 was firewalld-0.4.3.3-1.fc24). The update notes state that: ---- Automatic helper assignment has been disabled in kernel 4.7. firewalld version 0.4.4 is now able to recognize this and to create rules if automatic helper assignment has been turned off to make conntrack helpers work again. ----- but that does not appear to be the case. If automatic helper assignment is turned off (that is, net.netfilter.nf_conntrack_helper = 0), then the VPN pptp connection fails.
firewalld 0.4.4 is providing support for net.netfilter.nf_conntrack_helper=0 within firewalld. But if you connect to a VPN pptp server with NetworkManager, then NM is taking care about the connection and loads the pptp conntrack helper module. firewalld is not directly involved. It seems that it is also needed to add support for the disabled automatic helper assignment in NetworkManager.
There is also a SELinux issue: Please have a look at http://people.redhat.com/twoerner/firewalld/0.4.4.1-1/ There you can find an additional policy module definition file for SELinux: firewalld-0.4.4.te It only allows firewalld to search and analyse if there are usable netfilter conntrack helpers: allow firewalld_t modules_object_t:dir { getattr open search read }; Please have a look at the file SELINUX.README to be able to enable and use the module.
Re Comment 11 about NetworkManger. Thanks Thomas, I didn't realize that NM was dealing with the connection without involving firewalld. There's already an outstanding bug (https://bugzilla.redhat.com/show_bug.cgi?id=1375006) on NM-pptp, so I'll add a comment there. Unfortunately, that bug seems to have been open for 2 months with no input from the assignee :-( Anyway, thanks for your work on firewalld!
Thomas, thanks for your help. Seems that the change in conntrack helper default setting is the cause of a lot of bugs here!
firewalld-0.4.4.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-3dd8b5f4e1
firewalld-0.4.4.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b566ecf579
firewalld-0.4.4.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b566ecf579
firewalld-0.4.4.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3dd8b5f4e1
firewalld-0.4.4.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
firewalld-0.4.4.2-2.fc23 selinux-policy-3.13.1-158.25.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8a0533d057
firewalld-0.4.4.2-2.fc23, selinux-policy-3.13.1-158.25.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8a0533d057
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.