Description of problem: When activating screen sharing in Fedora 26, the firewall remains active on those ports. Even using the firewall configuration tool to enable the "vnc-server" ports is not enough to get the service to work. Stopping firewalld makes it possible to connect. Version-Release number of selected component (if applicable): vino-3.22.0-2.fc26.src.rpm control-center-3.24.3-1.fc26.src.rpm firewalld-0.4.4.5-1.fc26.src.rpm How reproducible: Always Steps to Reproduce: 1. Start the "Sharing" control panel 2. Enable Screen Sharing 3. Connect from another machine using remote-viewer vnc://machine:5900 4. Use the Firewall configuration application (firewall-config) 5. Check that the vnc-server tick mark is off 6. Enable vnc-server, activate that configuration 7. Try to connect with remote-viewer again 8. Run 'systemctl stop firewalld' 9. Connect with remote-viewer. This time, it should work Actual results: Unable to connect successfully at step 3 or 7. Expected results: Activating screen sharing should open the corresponding ports. Additional info:
I don't know what firewall-config is, but it's not installed by default, and unnecessary on Fedora Workstation. $ sudo ls -l /etc/firewalld/ total 40 lrwxrwxrwx. 1 root root 26 Oct 29 2015 firewalld.conf -> firewalld-workstation.conf You can double-check that the firewalld Workstation configuration is the default. For which this is the default configuration: $ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Fedora Workstation</short> <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <service name="samba-client"/> <port protocol="udp" port="1025-65535"/> <port protocol="tcp" port="1025-65535"/> </zone> Port 5900 is opened by default. Which method of installation did you use to not get firewalld's Fedora Workstation configuration done correctly?
> I don't know what firewall-config is, but it's not installed by default, > and unnecessary on Fedora Workstation. It's a GUI to configure the firewall, which is the first thing that shows up if you search for "firewall" in the Software application. I used that only to illustrate that it too is confused by the configuration. The initial steps in my bug description did not use it. My /etc/firewalld looks similar t yours [root@crazypad ~]# ls -l /etc/firewalld/ total 40 lrwxrwxrwx. 1 root root 26 Jul 6 00:24 firewalld.conf -> firewalld-workstation.conf [Plus some others] My firewalld-workstation.conf looks exactly like yours: [root@crazypad ~]# cat /usr/lib/firewalld/zones/FedoraWorkstation.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Fedora Workstation</short> <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <service name="samba-client"/> <port protocol="udp" port="1025-65535"/> <port protocol="tcp" port="1025-65535"/> </zone> With firewalld activated, I cannot connect with VNC, and with telnet I get: ddd@ptitpuce ~> telnet crazypad 5900 Trying 192.168.77.187... telnet: connect to address 192.168.77.187: Connection refused telnet: Unable to connect to remote host ddd@ptitpuce ~> With firewalld deactivated, I can connect: [root@crazypad ~]# systemctl stop firewalld [root@crazypad ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr Active: inactive (dead) since Mon 2017-10-16 10:37:50 CEST; 53s ago Docs: man:firewalld(1) Main PID: 17800 (code=exited, status=0/SUCCESS) Connecting with VNC works. Telnet also: ddd@ptitpuce ~> telnet crazypad 5900 Trying 192.168.77.187... Connected to crazypad.dinechin.lan. Escape character is '^]'. RFB 003.007 ^] As for the method of installation, that was a regular installation from a USB key, with practically the default parameters for everything, except that on this machine, this is a triple-boot machine (Fedora, RHEL and Win10) with shared partitions for /home and swap between RHEL and Fedora. I have observed the same issue with several other installations. I just tested on Fedora 25, and there it seems to work OK, so it may be a regression since F25.
I guess that the firewall-config application added additional firewall configuration, or firewalld is still badly setup. What's the output of: $ sudo grep -i defaultzone /etc/firewalld/firewalld-workstation.conf on your system? It should say: DefaultZone=FedoraWorkstation
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
The problem still occurred to me during the F28 -> F29 upgrade. # grep -i defaultzone /etc/firewalld/firewalld-workstation.conf DefaultZone=FedoraWorkstation Reopening against F29. The process that shows the misconfiguration is firewall-config. The misconfiguration was applied by the F28->F29 update to a "home" zone I had created for the purpose of "protecting" this particular setting. Obviously, it did not work ;-) Here are the firewall-related things I have installed: firewall-config.noarch 0.6.3-1.fc29 @updates firewalld.noarch 0.6.3-1.fc29 @updates firewalld-filesystem.noarch 0.6.3-1.fc29 @updates python3-firewall.noarch 0.6.3-1.fc29 @updates Here are the VNC-related things I have: gtk-vnc2.x86_64 0.9.0-2.fc29 @fedora gvnc.x86_64 0.9.0-2.fc29 @fedora libvncserver.x86_64 0.9.11-8.fc29 @fedora tigervnc-license.noarch 1.9.0-3.fc29 @fedora tigervnc-server-minimal.x86_64 1.9.0-3.fc29 @fedora vino.x86_64 3.22.0-11.fc29 @fedora
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.