Bug 1499280 - Enabling screen sharing does not correctly set the firewall
Summary: Enabling screen sharing does not correctly set the firewall
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-remote-desktop
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jonas Ådahl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-06 15:14 UTC by Christophe de Dinechin
Modified: 2019-11-27 21:23 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-27 21:23:02 UTC
Type: Bug


Attachments (Terms of Use)

Description Christophe de Dinechin 2017-10-06 15:14:07 UTC
Description of problem: When activating screen sharing in Fedora 26, the firewall remains active on those ports. Even using the firewall configuration tool to enable the "vnc-server" ports is not enough to get the service to work. Stopping firewalld makes it possible to connect.


Version-Release number of selected component (if applicable):
vino-3.22.0-2.fc26.src.rpm
control-center-3.24.3-1.fc26.src.rpm
firewalld-0.4.4.5-1.fc26.src.rpm

How reproducible: Always


Steps to Reproduce:
1. Start the "Sharing" control panel
2. Enable Screen Sharing
3. Connect from another machine using remote-viewer vnc://machine:5900
4. Use the Firewall configuration application (firewall-config)
5. Check that the vnc-server tick mark is off
6. Enable vnc-server, activate that configuration
7. Try to connect with remote-viewer again
8. Run 'systemctl stop firewalld'
9. Connect with remote-viewer. This time, it should work

Actual results:
Unable to connect successfully at step 3 or 7.

Expected results:
Activating screen sharing should open the corresponding ports.

Additional info:

Comment 1 Bastien Nocera 2017-10-13 12:03:58 UTC
I don't know what firewall-config is, but it's not installed by default, and unnecessary on Fedora Workstation.

$ sudo ls -l /etc/firewalld/
total 40
lrwxrwxrwx. 1 root root   26 Oct 29  2015 firewalld.conf -> firewalld-workstation.conf

You can double-check that the firewalld Workstation configuration is the default. For which this is the default configuration:
$ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>
</zone>

Port 5900 is opened by default. Which method of installation did you use to not get firewalld's Fedora Workstation configuration done correctly?

Comment 2 Christophe de Dinechin 2017-10-16 08:40:54 UTC
> I don't know what firewall-config is, but it's not installed by default,
> and unnecessary on Fedora Workstation.

It's a GUI to configure the firewall, which is the first thing that shows up if you search for "firewall" in the Software application. I used that only to illustrate that it too is confused by the configuration. The initial steps in my bug description did not use it.

My /etc/firewalld looks similar t yours

[root@crazypad ~]# ls -l /etc/firewalld/
total 40
lrwxrwxrwx. 1 root root   26 Jul  6 00:24 firewalld.conf -> firewalld-workstation.conf
[Plus some others]

My firewalld-workstation.conf looks exactly like yours:

[root@crazypad ~]# cat /usr/lib/firewalld/zones/FedoraWorkstation.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>
</zone>

With firewalld activated, I cannot connect with VNC, and with telnet I get:

ddd@ptitpuce ~> telnet crazypad 5900
Trying 192.168.77.187...
telnet: connect to address 192.168.77.187: Connection refused
telnet: Unable to connect to remote host
ddd@ptitpuce ~> 


With firewalld deactivated, I can connect:

[root@crazypad ~]# systemctl stop firewalld
[root@crazypad ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
   Active: inactive (dead) since Mon 2017-10-16 10:37:50 CEST; 53s ago
     Docs: man:firewalld(1)
 Main PID: 17800 (code=exited, status=0/SUCCESS)


Connecting with VNC works. Telnet also:

ddd@ptitpuce ~> telnet crazypad 5900
Trying 192.168.77.187...
Connected to crazypad.dinechin.lan.
Escape character is '^]'.
RFB 003.007
^]

As for the method of installation, that was a regular installation from a USB key, with practically the default parameters for everything, except that on this machine, this is a triple-boot machine (Fedora, RHEL and Win10) with shared partitions for /home and swap between RHEL and Fedora. I have observed the same issue with several other installations. I just tested on Fedora 25, and there it seems to work OK, so it may be a regression since F25.

Comment 3 Bastien Nocera 2017-10-16 12:20:44 UTC
I guess that the firewall-config application added additional firewall configuration, or firewalld is still badly setup.

What's the output of:
$ sudo grep -i defaultzone /etc/firewalld/firewalld-workstation.conf
on your system?

It should say:
DefaultZone=FedoraWorkstation

Comment 4 Fedora End Of Life 2018-05-03 08:34:43 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 5 Fedora End Of Life 2018-05-29 11:56:30 UTC
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26
is no longer maintained, which means that it will not receive any
further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 6 Christophe de Dinechin 2019-03-07 13:41:55 UTC
The problem still occurred to me during the F28 -> F29 upgrade.

#  grep -i defaultzone /etc/firewalld/firewalld-workstation.conf
DefaultZone=FedoraWorkstation

Reopening against F29.

The process that shows the misconfiguration is firewall-config.
The misconfiguration was applied by the F28->F29 update to a
"home" zone I had created for the purpose of "protecting" this
particular setting. Obviously, it did not work ;-)

Here are the firewall-related things I have installed:
firewall-config.noarch                0.6.3-1.fc29        @updates              
firewalld.noarch                      0.6.3-1.fc29        @updates              
firewalld-filesystem.noarch           0.6.3-1.fc29        @updates              
python3-firewall.noarch               0.6.3-1.fc29        @updates              

Here are the VNC-related things I have:
gtk-vnc2.x86_64                           0.9.0-2.fc29                   @fedora
gvnc.x86_64                               0.9.0-2.fc29                   @fedora
libvncserver.x86_64                       0.9.11-8.fc29                  @fedora
tigervnc-license.noarch                   1.9.0-3.fc29                   @fedora
tigervnc-server-minimal.x86_64            1.9.0-3.fc29                   @fedora
vino.x86_64                        3.22.0-11.fc29                        @fedora

Comment 7 Ben Cotton 2019-10-31 19:50:40 UTC
This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Ben Cotton 2019-11-27 21:23:02 UTC
Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.