Bug 1215494

Summary: enabling firewall in yast2 does nothing: still empty iptables ruleset after reboot
Product: [openSUSE] openSUSE Tumbleweed Reporter: Olli Artemjev <grey-olli>
Component: YaST2Assignee: E-mail List <yast2-maintainers>
Status: RESOLVED INVALID QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Olli Artemjev 2023-09-19 23:11:02 UTC 
How to reproduce:
Open YaST2 via KDE menu, proceed to firewall configuration (in Russian called "Брандмауэр"), run it, enable firewall on boot, choose Accept w/o changing actual port or service or zone values.

Expected results: 

after reboot iptables -nvL shows some rules.

Actual results:
----> 01:21:41 Wed Sep 20 olli@digma ~
$ sudo iptables -nvL
[sudo] пароль для root: 
Chain INPUT (policy ACCEPT 89589 packets, 86M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 92144 packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination         
----> 01:21:54 Wed Sep 20 olli@digma ~
$ sudo ip6tables -nvL
Chain INPUT (policy ACCEPT 327 packets, 24605 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 263 packets, 19661 bytes)
 pkts bytes target     prot opt in     out     source               destination         
----> 01:22:05 Wed Sep 20 olli@digma ~
$ 


Russian locale partially applied, if this matters:
----> 01:24:19 Wed Sep 20 olli@digma ~
$ echo $LANG
en_US.UTF-8
----> 01:26:23 Wed Sep 20 olli@digma ~
$ echo $LC_ALL
en_US.UTF-8
----> 01:26:30 Wed Sep 20 olli@digma ~
$ env |grep -i ru
COLORTERM=truecolor
LANGUAGE=ru:ru:ru:ru:en_US:ru
XAUTHORITY=/run/user/1000/xauth_ySJFlv
XKB_DEFAULT_LAYOUT=us,ru
PAM_KWALLET5_LOGIN=/run/user/1000/kwallet5.socket
LC_CTYPE=ru_RU.UTF-8
XDG_RUNTIME_DIR=/run/user/1000
LC_COLLATE=ru_RU.UTF-8
KDE_FULL_SESSION=true
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
PROFILEREAD=true
----> 01:26:36 Wed Sep 20 olli@digma ~
$ 

I'm not aware that my laptop is cracked by someone, but firewall that doesn't want to start is bad thing.

I can return to firewall enabled by custom script I wrote long time ago, but I was glad to use OpenSuSE defaults.

Other settings that may relate to the problem:

----> 01:32:53 Wed Sep 20 olli@digma ~
$ cat /etc/sysconfig/network/config |grep -i iptables
----> 01:35:03 Wed Sep 20 olli@digma ~
$ cat /etc/sysconfig/network/config |grep -i firewall
# With this variable you can determine if the SuSEfirewall when enabled
FIREWALL="yes"
----> 01:35:08 Wed Sep 20 olli@digma ~
$ cat /etc/sysconfig/firewalld
# firewalld command line args
# possible values: --debug
FIREWALLD_ARGS=
----> 01:35:32 Wed Sep 20 olli@digma ~
$

----> 01:38:41 Wed Sep 20 olli@digma ~
$ systemctl list-units --all |grep -i firewall
  firewalld.service                                                                                     loaded    active   running   firewalld - dynamic firewall daemon
----> 01:39:25 Wed Sep 20 olli@digma ~
$ systemctl list-units --all |grep -i iptables
● iptables.service                                                                                      not-found inactive dead      iptables.service
----> 01:39:30 Wed Sep 20 olli@digma ~
$ 
----> 01:39:30 Wed Sep 20 olli@digma ~
$ systemctl list-units --all |grep -i ip6tables
● ip6tables.service                                                                                     not-found inactive dead      ip6tables.service
----> 01:40:27 Wed Sep 20 olli@digma ~
$ 

----> 01:41:12 Wed Sep 20 olli@digma ~
$ cat /etc/*release*
NAME="openSUSE Tumbleweed"
# VERSION="20230914"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20230914"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20230914"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"
----> 01:47:24 Wed Sep 20 olli@digma ~
$ 

----> 01:51:20 Wed Sep 20 olli@digma ~
$ sudo ls /etc/firewalld/
firewalld.conf  helpers  icmptypes  ipsets  lockdown-whitelist.xml  lockdown-whitelist.xml.old  policies  services  zones
----> 01:51:53 Wed Sep 20 olli@digma ~
$ 

----> 01:51:20 Wed Sep 20 olli@digma ~
$ sudo ls /etc/firewalld/
firewalld.conf  helpers  icmptypes  ipsets  lockdown-whitelist.xml  lockdown-whitelist.xml.old  policies  services  zones
----> 01:51:53 Wed Sep 20 olli@digma ~
$ 

----> 01:59:20 Wed Sep 20 olli@digma ~
$ sudo cat /etc/firewalld/firewalld.conf|grep -v ^\#

DefaultZone=public

CleanupOnExit=yes

CleanupModulesOnExit=no

Lockdown=no

IPv6_rpfilter=yes

IndividualCalls=no

LogDenied=off

FirewallBackend=nftables

FlushAllOnReload=no

RFC3964_IPv4=yes

NftablesFlowtable=off

NftablesCounters=no
----> 01:59:54 Wed Sep 20 olli@digma ~
$ sudo whereis nftables
nftables: /etc/nftables
----> 02:00:09 Wed Sep 20 olli@digma ~
$ ls -lRa /etc/nftables/
/etc/nftables/:
итого 20
drwxr-xr-x   3 root root  4096 Aug 12 19:19 .
drwxr-xr-x 175 root root 12288 Sep 17 01:17 ..
drwxr-xr-x   2 root root  4096 Aug 12 19:19 osf

/etc/nftables/osf:
итого 40
drwxr-xr-x 2 root root  4096 Aug 12 19:19 .
drwxr-xr-x 3 root root  4096 Aug 12 19:19 ..
-rw-r--r-- 1 root root 28884 Aug 12 19:19 pf.os
----> 02:00:27 Wed Sep 20 olli@digma ~
$ 

$ sudo systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: disabled)
     Active: active (running) since Tue 2023-09-19 16:13:04 MSK; 9h ago
       Docs: man:firewalld(1)
   Main PID: 1956 (firewalld)
      Tasks: 2 (limit: 4915)
        CPU: 847ms
     CGroup: /system.slice/firewalld.service
             └─1956 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Sep 19 16:13:04 digma systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 19 16:13:04 digma systemd[1]: Started firewalld - dynamic firewall daemon.
----> 02:02:34 Wed Sep 20 olli@digma ~
$ 

Last command tells that firewalld is loaded, but it's configuration is set to nftables, but nftables binary is not present in the system, at least not with these PATH values:

digma:/home/olli # env|grep ^PATH
PATH=/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin
digma:/home/olli # whereis nftables
nftables: /etc/nftables
digma:/home/olli # ls -ld /etc/nftables
drwxr-xr-x 3 root root 4096 Aug 12 19:19 /etc/nftables
digma:/home/olli #

BTW: are there recomended OpenSuSE-specific tools to check the system for being cracked? ?-) At least I see no evidence that system behaves bad except it wasted ability to apply firewall rules.
Comment 1 Thorsten Kukuk 2023-09-20 05:27:05 UTC 
firewalld is not using iptables (which are deprecated), so iptables will not show you anything. Your expectation here is wrong.

The best is to use the firewall-cmd tool to inspect your setup, else nft.