I have been looking for a replacement for shorewall, and determined to
try firewalld. The user can configure it from a GUI (firewall-config),
or from the command line. The latter means one can also write scripts
for it. Great! So I have installed Bookworm, firewalld, and Network
Manager (NM) on a Lenovo T61 laptop to experiment.
What I found out was that firewalld is integrated into NM. Woo Hoo! This
means I can reduce the scripting I have done for NM.
A bit of explanation: Laptops in particular travel, and get attached to
different networks. One may have different services one may wish to
provide or not, depending on the network. For example, I allow SSH
logins to my laptops when they are on my home network, but nowhere else.
Firewalld lets one define zones, and several are provided by the
firewalld package. The two I use are "home", which I use at home, and
"public", for elsewhere. With shorewall, I had to script the firewall
selection for NM. No so for firewalld; it's built in to NM.
In NM, edit a connection. Go to the General tab. You should see a line
for "Firewall zone". Select "home" for your home connection, otherwise
leave the zone as default.
To make this work, specify as part of your setup a default zone. I use
"public" for that. By setting the default to "public", you should
automatically get the public zone when you connect to new networks.
As mentioned, you can do this from the command line, or script all this.
It's a lot of typing, but the results are self-documenting. E.g.:
root@orca:~# firewall-cmd --set-default-zone=public
success
root@orca:~# firewall-cmd --get-default-zone
public
root@orca:~# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@orca:~# firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: wls3
sources:
services: mdns samba-client ssh syncthing
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@orca:~#
If you have multiple laptops (or only one but want repeatability), you
can script your home connections. E.g.:
nmcli con add con-name NetworkName ifname "${wif}" type wifi ssid NetworkName
nmcli con modify NetworkName wifi-sec.key-mgmt wpa-psk
nmcli con modify NetworkName wifi-sec.psk '<redacted>'
nmcli con modify NetworkName 802-11-wireless.cloned-mac-address permanent
nmcli con modify NetworkName connection.zone home
Note that the last line sets up the connection (firewalld) zone.
You can also script other networks:
nmcli con add con-name ExtNetwork ifname "${wif}" type wifi ssid ExtNetwork
nmcli con modify ExtNetwork wifi-sec.key-mgmt wpa-psk
nmcli con modify ExtNetwork wifi-sec.psk '<redacted>'
Someone did some serious thinking about how all this plays together,
and the results so far look like some very nice software.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
