# New firewalld and nftables not working...

## The_Great_Sephiroth

OK, I have given this a few months, but I am stuck without a firewall. Since firewalld was updated to use nftables my systems are completely unprotected. This new nftables doesn't make sense to me yet, and firewalld is not managing my firewall any more despite being switched (at the factory) to use nftables. However, whenever I do "nft list tables" no tables are present. I am not seeing errors related to firewalld or nftables so I cannot begin troubleshooting that way either. It's like the forced upgrade of firewalld turned everything off.

Where do I begin with this new mess? I really need a firewall on our laptops. Iptables worked, but some genius decided that nftables was better and now nothing works. I cannot even make iptables work if I switch firewalld back to iptables via configuration. Help!

*UPDATE*

After switching back to nftables via configuration file and rebooting I now get an empty set of rules. Better than nothing but useless I think...

```

~ $ sudo nft list table firewalld

table ip firewalld {

        chain nat_PREROUTING {

                type nat hook prerouting priority -90; policy accept;

                jump nat_PREROUTING_ZONES_SOURCE

                jump nat_PREROUTING_ZONES

        }

        chain nat_PREROUTING_ZONES_SOURCE {

        }

        chain nat_PREROUTING_ZONES {

                iifname "wlp12s0" goto nat_PRE_home

                goto nat_PRE_public

        }

        chain nat_POSTROUTING {

                type nat hook postrouting priority 110; policy accept;

                jump nat_POSTROUTING_ZONES_SOURCE

                jump nat_POSTROUTING_ZONES

        }

        chain nat_POSTROUTING_ZONES_SOURCE {

        }

        chain nat_POSTROUTING_ZONES {

                oifname "wlp12s0" goto nat_POST_home

                goto nat_POST_public

        }

        chain nat_PRE_public {

                jump nat_PRE_public_log

                jump nat_PRE_public_deny

                jump nat_PRE_public_allow

        }

        chain nat_PRE_public_log {

        }

        chain nat_PRE_public_deny {

        }

        chain nat_PRE_public_allow {

        }

        chain nat_POST_public {

                jump nat_POST_public_log

                jump nat_POST_public_deny

                jump nat_POST_public_allow

        }

        chain nat_POST_public_log {

        }

        chain nat_POST_public_deny {

        }

        chain nat_POST_public_allow {

        }

        chain nat_PRE_work {

                jump nat_PRE_work_log

                jump nat_PRE_work_deny

                jump nat_PRE_work_allow

        }

        chain nat_PRE_work_log {

        }

        chain nat_PRE_work_deny {

        }

        chain nat_PRE_work_allow {

        }

        chain nat_POST_work {

                jump nat_POST_work_log

                jump nat_POST_work_deny

                jump nat_POST_work_allow

        }

        chain nat_POST_work_log {

        }

        chain nat_POST_work_deny {

        }

        chain nat_POST_work_allow {

        }

        chain nat_PRE_home {

                jump nat_PRE_home_log

                jump nat_PRE_home_deny

                jump nat_PRE_home_allow

        }

        chain nat_PRE_home_log {

        }

        chain nat_PRE_home_deny {

        }

        chain nat_PRE_home_allow {

        }

        chain nat_POST_home {

                jump nat_POST_home_log

                jump nat_POST_home_deny

                jump nat_POST_home_allow

        }

        chain nat_POST_home_log {

        }

        chain nat_POST_home_deny {

        }

        chain nat_POST_home_allow {

        }

}

```

It is supposed to allow SSH, samba, and a few others on a "home" network like mine. Appears to me that nothing is allowed...

On top of that, iptables is wide open!

```

~ $ sudo iptables -S

Password: 

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

~ $ sudo iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

----------

## Hu

As an interim workaround, what about disabling firewalld and managing iptables without it?

----------

## The_Great_Sephiroth

I could, but it would be a nightmare. I change locations frequently with my job and different wireless networks have different settings. At the base I need at least three configurations and I need to remember to switch them when connecting.

I know NFT is supposed to replace iptables, but it agravates me that somebody wanted to fix something that wasn't broken. I just got a new laptop for work and I am currently configuring a kernel for it and dreading network protection to the point I have been searching for an alternative to firewalld, but have yet to find one. Hey, maybe I can run the Windows Firewall with WINE! It works!

----------

## Fitzcarraldo

I suppose you could try UFW (Uncomplicated Firewall) to see if that works for you. Its GUI front-end Gufw supports 'profiles', which I assume are similar to zones in firewalld. The default profiles in Gufw are 'Public', 'Home' and 'Office'. These can be individually renamed or deleted, and additional profiles can be created. There is a caveat, though: the user has to switch profiles manually via the GUI (I have not used firewalld, but am I correct in thinking it can be configured to switch zones automatically?). See https://help.ubuntu.com/community/Gufw and https://itsfoss.com/set-up-firewall-gufw/ for an overview of Gufw.

There is another caveat. Although UFW is in the Portage main tree, Gufw is not. Therefore I have cobbled together an ebuild for Gufw 19.10.0 that you could put in a local overlay on your machine and merge the package to try it out (the ebuild merges UFW if it is not already installed). I'm no expert in writing ebuilds, so I'm sure someone could tidy it up and produce something more sophisticated.

```
$ cat /usr/local/portage/net-firewall/gufw/gufw-19.10.0.ebuild 

# Copyright 1999-2019 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

EAPI=7

PYTHON_COMPAT=( python3_{5,6,7} )

DISTUTILS_IN_SOURCE_BUILD=1

inherit distutils-r1

MY_PN="gui-ufw"

MY_PV="$(ver_cut 1-2)"

DESCRIPTION="GUI frontend for managing ufw."

HOMEPAGE="https://gufw.org/"

SRC_URI="https://launchpad.net/${MY_PN}/trunk/${MY_PV}/+download/${MY_PN}-${PV}.tar.gz"

LICENSE="GPL-3"

SLOT="0"

KEYWORDS="~amd64"

IUSE=""

DEPEND="dev-python/python-distutils-extra"

RDEPEND="net-firewall/ufw

        x11-libs/gtk+:3[introspection]

        net-libs/webkit-gtk[introspection]

        dev-python/netifaces

        sys-auth/polkit

        x11-themes/gnome-icon-theme-symbolic

        dev-python/pygobject:3

"

S=${WORKDIR}/${MY_PN}-${PV}

pkg_postinst() {

        sed '/dist-packages/d' -i /usr/bin/gufw-pkexec

        sed -E '/\/share\//d' -i /usr/bin/gufw-pkexec

        local PYTHONVERSION="$(python -c 'import sys; print("{}.{}".format(sys.version_info.major, sys.version_info.minor))')"

        sed -E "s|python3\.[0-9]|python${PYTHONVERSION}|g" -i /usr/bin/gufw-pkexec

        sed -E 's|\/lib\/|\/lib64\/|g' -i /usr/bin/gufw-pkexec

}
```

If you're using an amd64 (Stable Branch) installation, you'll need to unmask the ebuild by keyword in order to be able to merge it:

```
$ cat /etc/portage/package.accept_keywords/gufw

=net-firewall/gufw-19.10.0 ~amd64
```

UFW has to be added to a runlevel:

```
# rc-update add ufw boot
```

Merging the Gufw package will create an entry 'Firewall Configuration' in the DE's application launcher menu, at least it does for me in KDE under 'Applications' > 'Settings'. You can also launch Gufw from the command line:

```
$ gufw
```

In either case a pop-up window will appear prompting you to enter the root user's password.

Although I have been using UFW in all my Gentoo installations for many years, I have used it either directly from the command line or via a different (and older) GUI front-end (net-firewall/ufw-frontends) that is in the main Portage tree but does not support profiles. Therefore I do not have experience using Gufw. From the little I've used Gufw as installed by this ebuild, it seems to be working correctly, but YMMV.

EDIT: Requires elogind rather than ConsoleKit.

----------

## The_Great_Sephiroth

I already ruled out UFW among others. You are correct in assuming that firewalld is automatic. In Plasma when you create a connection of any kind you may set the firewall zone, and those zones come from firewalld. So if I connect to a coffee shop WiFi I can set the zone to "Public" and be locked down, but when I connect at home things like SMB, SSH, and others are opened so stuff works. This is what made me fall in love with firewalld. I am currently learning about BSD and alternatives because so much in Linux is being forced on us anymore by Redhat. Firewalld broke due to them, systemd is here, and now they want to rip out the standard UNIX user/password setup and use a binary database and encrypt the home directories. I really do fear that Redhat will be the end of Linux as we know it. Sorry, didn't mean to rant, just aggravated with the problems that all go back to Redhat.

I am almost done configuring a kernel on my new laptop (Latitude E5440) and will see if the issue is gone and either netfilter or iptables works then.

----------

## Fitzcarraldo

No worries. We share many of the same sentiments. In fact, although firewalld is more sophisticated that UFW in some areas -- zones being one example -- I personally steered clear of firewalld because it is developed and maintained by freedesktop.org. As I have previously written a few times in these forums, I get nervous when I come across software developed by freedesktop.org. The problem seems to be that, more or less, Red Hat developers ≡ GNOME developers ≡ freedesktop.org developers. Any mention of any of those three in conjunction with anything in Linux makes me leery. Precisely because of that I was quite surprised when you first posted some time ago that you wanted to use firewalld. The problem with the Red Hat/freedesktop.org/GNOME hegemony is that it tends to stifle alternatives; I personally have been wondering about the long-term future of third-party alternatives such as UFW.

Anyway, here is a comparison of UFW and firewalld that other readers of this thread might find helpful: UFW vs FirewallD. And here is an article on switching from firewalld to UFW that also comments on the differences between the two: How to switch firewalls from FirewallD to UFW.

----------

## The_Great_Sephiroth

Odd how that works then, since KDE is by far the most widely used DE and Gnome is always playing second fiddle. Anyway, I will read those articles soon. Thanks for the links!

----------

## Fitzcarraldo

 *The_Great_Sephiroth wrote:*   

> Odd how that works then, since KDE is by far the most widely used DE and Gnome is always playing second fiddle.

 

I have previously read that KDE is more popular than GNOME, but the various articles and posts I have seen on the subject refer to polls with tiny samples, such as a January 2018 LinuxQuestions poll with only 327 respondents. Also, I have a feeling that most of these polls are on Web sites that cater primarily for Linux enthusiasts or non-professional users rather than corporations or organisations. I think that businesses and organisations that use a lot of Linux workstations would not participate in polls on such sites. My guess is that a lot of Linux installations supported under contract by Red Hat and Canonical in corporations and governmental organisations are GNOME-based rather than KDE-based. Therefore I take DE user polls on Linux enthusiast sites with a pinch of salt. I only know a handful of Linux users personally, but all of them use distributions that have GNOME as the default DE, and they use their laptops professionally.

 *The_Great_Sephiroth wrote:*   

> You are correct in assuming that firewalld is automatic. In Plasma when you create a connection of any kind you may set the firewall zone, and those zones come from firewalld. So if I connect to a coffee shop WiFi I can set the zone to "Public" and be locked down, but when I connect at home things like SMB, SSH, and others are opened so stuff works.

 

You have got me thinking about adding zones to UFW which can be triggered automatically. I am going to have a go myself, to scratch an itch. I think it should be do-able without too much effort.

UFW supports profiles (which are distinct from Gufw's profiles /etc/gufw/*.profile). UFW profile files are placed in the directory /etc/ufw/applications.d/ and can either be created by the end-user or installed by UFW or a UFW front-end. For example, I found a pre-canned UFW profile for Samba on the machine I'm using at the moment running Lubuntu:

```
$ cat /etc/ufw/applications.d/samba

[Samba]

title=LanManager-like file and printer server for Unix

description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol.

ports=137,138/udp|139,445/tcp
```

Some years ago a guy going by the handle of jhansonxi published a bunch of UFW profiles for many applications:

http://jhansonxi.blogspot.com/2013/03/latest-batch-of-ufw-application-profiles.html

Indeed, when I installed Gufw 19.10.0 using my ebuild, the package installed all those profile files in the directory /etc/gufw/app_profiles/ and these can be selected via the Gufw GUI (see etc/gufw/app-profiles).

Now, NetworkManager has the ability to lunch hook scripts, and I've used NetworkManager Dispatcher myself for various purposes. For example, I configured NetworkManager to launch a script at startup to synchronise the clock on my laptops. NetworkManager Dispatcher can be used for any purpose; for example to automatically change a firewall profile depending on which network the machine is connecting to:

http://sysadminsjourney.com/content/2008/12/18/use-networkmanager-launch-scripts-based-network-location/

So I am going to create some UFW profile files (see 'how do you create an app profile for ufw?') for specific traffic according to which networks my laptop will be connected, and write a NetworkManager Dispatcher hook script to run the UFW commands to allow or deny the relevant profiles. For example, the NetworkManager Dispatcher hook script could do something along the following lines if it detects that my laptop is in a public location (café, airport or wherever):

```
[...]

ufw deny home

ufw deny office

ufw allow public

[...]
```

Anyway, I will see if I can come up with something useful for my laptops.

----------

## The_Great_Sephiroth

Not sure about DE usage then. Only time I have EVER run across Gnome was in the wild where some noob switched from Windows to Ubuntu. For the few companies I have been at that run Linux as a desktop they all had some flavor of KDE or Plasma. I would be interested in a good survey myself. I used both and always preferred KDE. Also tried LXDE and XFCE for a while.

Let me know how this attempt goes. Seems to be overkill to make built-in functionality work, but crap happens! I just got the new laptop up so I will be testing it soon.

----------

## Fitzcarraldo

 *The_Great_Sephiroth wrote:*   

> I used both and always preferred KDE. Also tried LXDE and XFCE for a while.

 

Can't say I'm a fan of GNOME. I could tolerate GNOME 2 but I really dislike GNOME 3. I've had various machines running KDE{3,4,5}, GNOME{2,3}, Xfce, E{16,17}, LXDE and LXQt, but always preferred KDE. Mind you, some things in KDE 5 annoy me, and I'm somewhat concerned about the direction in which KDE is moving.

 *The_Great_Sephiroth wrote:*   

> Let me know how this attempt goes. Seems to be overkill to make built-in functionality work, but crap happens! I just got the new laptop up so I will be testing it soon.

 

I hope you managed to get firewalld working again, but I did manage to scratch my itch; I have created a NetworkManager Dispatcher hook script than enables me to define firewall zones in UFW and automatically switch zones depending on the network connection. OK, it's not as fancy as firewalld and the Connections system settings module in KDE, but it does work fine on my laptops running KDE (it's DE independent). The long story is given in my blog post 'Firewall zones (profiles) in Linux, and how to switch them automatically if you use UFW'. The short story is that I created a script named /etc/NetworkManager/dispatcher.d/20_ufw-zones with the following contents (connection names and zone names changed to preserve anonymity):

```
#!/bin/bash

INTERFACE=$1

STATUS=$2

WIRED=enp4s0f1

WIFI=wlp3s0

CT_helper_rule() {

    echo "# The following is needed to enable Samba commands to" >> /etc/ufw/before.rules

    echo "# work properly for broadcast NetBIOS name resolution" >> /etc/ufw/before.rules

    echo "#"  >> /etc/ufw/before.rules

    echo "# raw table rules" >> /etc/ufw/before.rules

    echo "*raw" >> /etc/ufw/before.rules

    echo ":OUTPUT ACCEPT [0:0]" >> /etc/ufw/before.rules

    echo "-F OUTPUT" >> /etc/ufw/before.rules

    echo "-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns" >> /etc/ufw/before.rules

    echo "COMMIT" >> /etc/ufw/before.rules

}

 

select_zone() {

    ufw --force reset

    ufw --force enable

    ZONE=$1

    case "$ZONE" in

    'Home')

        ufw default deny incoming

        ufw default allow outgoing

        #

        # Rules for SMB

        ufw allow from 192.168.1.0/24 to any port 137,138 proto udp

        ufw allow from 192.168.1.0/24 to any port 139,445 proto tcp

        CT_helper_rule

        #

        # Rules for KDEConnect

        ufw allow from 192.168.1.0/24 to any port 1714:1764 proto udp

        ufw allow from 192.168.1.0/24 to any port 1714:1764 proto tcp

    ;;

    'Office')

        ufw default deny incoming

        ufw default allow outgoing

    ;;

    'Public')

        ufw default reject incoming

        ufw default allow outgoing

    ;;

    'JohnsHouse')

        ufw default deny incoming

        ufw default allow outgoing

        #

        # Rules for SMB

        ufw allow from 192.168.42.0/24 to any port 137,138 proto udp

        ufw allow from 192.168.42.0/24 to any port 139,445 proto tcp

        CT_helper_rule

        #

        # Rules for KDEConnect

        ufw allow from 192.168.42.0/24 to any port 1714:1764 proto udp

        ufw allow from 192.168.42.0/24 to any port 1714:1764 proto tcp

    ;;

    esac

    ufw --force reload

    rm /etc/ufw/*.rules.20* # Delete backups of *.rules files ufw makes every time it is reset

    echo -n `date +"[%F %T %Z]"` >> /var/log/ufw-zones.log

    echo " Zone $ZONE selected for connection $ACTIVE on interface $INTERFACE." >> /var/log/ufw-zones.log

}

 

# Check if either the wired or wireless interface is up

if [ "$INTERFACE" = "$WIRED" -o "$INTERFACE" = "$WIFI" ] && [ "$STATUS" = "up" ]; then

 

    # Check if a single connection is active

    if [ `nmcli c | grep -v "\-\-" | grep -v "NAME.*UUID.*TYPE.*DEVICE" | wc -l` -eq 1 ]; then

 

        # Ascertain the name of the active connection

        ACTIVE=`nmcli c | grep -v "\-\-" | grep -v "NAME.*UUID.*TYPE.*DEVICE" | awk -F' ' '{print $1}'`

 

        case "$ACTIVE" in

 

        'eth0')

            ZONE="Home"

        ;;

        'POR1-wired')

            ZONE="Office"

        ;;

        'BTHub5-8EUQ')

            ZONE="Home"

        ;;

        'BTHub5-8EUQ-5GHz')

            ZONE="Home"

        ;;

        'John1')

            ZONE="JohnsHouse"

        ;;

        'GRAND MERCURE')

            ZONE="Public"

        ;;

        *)

            # If connection name is not in above list

            ZONE="Public"

        ;;

        esac

        select_zone $ZONE

        exit $?

    fi

fi
```

The log file it generates is self-explanatory:

```
$ cat /var/log/ufw-zones.log 

[2019-09-30 20:13:52 BST] Zone Home selected for connection eth0 on interface enp4s0f1.

[2019-10-01 22:59:18 BST] Zone Home selected for connection BTHub5-8EUQ-5GHz on interface wlp3s0.

[2019-10-02 17:59:23 EDT] Zone Public selected for connection loganwifi on interface wlp3s0.

[2019-10-03 10:12:46 EDT] Zone Office selected for connection POR1-wired on interface enp4s0f1.
```

It is easy to edit the script to add/delete/change/edit connections and zones. Now that i am using this script I will steer clear of the UFW GUI frontends Gufw and ufw-frontends. Gufw has its own configuration files and can get out of sync with UFW if UFW commands and Gufw are both used. ufw-frontends does not support zones anyway. More explanation is given in my blog post.

----------

## The_Great_Sephiroth

That is really cool! I will read your page and may document it myself for a backup solution. You know, in case bad things happen such as systemd invading Plasma or another component.

Also, I agree with the concern for the direction KDE is going. I can switch if I need to, but Plasma currently has EVERYTHING that I need. I love things like K3b and KDEnlive. However, I would drop them FAST if they depended on systemd!

Anyway, we ordered a 2TB SSD (560/540 MB/sec) for the laptop so I am on hold until it arrives. Once I rebuild the system onto the SSD I will report back.

----------

