Re: [PATCH] firewall-manager: allow dhcpv6-client service
* Jiri Popelka > On 03/08/2012 02:53 PM, Tore Anderson wrote: >> The best solution would obviously be to just fix the default firewall in >> Fedora too, but the firewall infrastructure maintainer is refusing to >> make that change. >> In short, he doesn't seem likely to change his mind any time soon. > > He actually did :-) Wonderful, thank you very much for changing your mind Thomas! :-) Only thing left now is to ascertain that firewalld does indeed replace ip6tables in a default F17 install, otherwise the change needs to be applied to the /etc/sysconfig/ip6tables file too (bz#591630). Perhaps that should be done in any case, especially if firewalld does not automatically replace ip6tables on upgrades to F17. Best regards, -- Tore Anderson ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
On Thu, 2012-03-15 at 18:33 +0100, Jiri Popelka wrote: > On 03/08/2012 02:53 PM, Tore Anderson wrote: > > The best solution would obviously be to just fix the default firewall in > > Fedora too, but the firewall infrastructure maintainer is refusing to > > make that change. > > In short, he doesn't seem likely to change his mind any time soon. > > He actually did :-) > > This commit makes the patch pointless: > http://git.fedorahosted.org/git/?p=firewalld.git;a=commitdiff;h=31189e942132f4df09660bd5e863fad619c0f18f Ok, shall drop the patch then. Glad to see it resolved. Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
On 03/08/2012 02:53 PM, Tore Anderson wrote: The best solution would obviously be to just fix the default firewall in Fedora too, but the firewall infrastructure maintainer is refusing to make that change. In short, he doesn't seem likely to change his mind any time soon. He actually did :-) This commit makes the patch pointless: http://git.fedorahosted.org/git/?p=firewalld.git;a=commitdiff;h=31189e942132f4df09660bd5e863fad619c0f18f Thanks, -- Jiri ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
* Ludwig Nussel > Uh, ssh would probably be the last thing I'd allow in the public zone by > default :-) Fully agreed. On hosts that have the SSH daemon open from the world, I see a constant stream of brute force attacks on it. DHCP (both versions) appears to be left alone by attackers, on the other hand. DHCPv4 is allowed by default in Fedora, though, while DHCPv6 for some reason are singled out by the Fedora firewall infrastructure maintainer as being too insecure to be allowed by default. And that is before you even take into account that DHCPv6 (unlike DHCPv4) can be restricted so that it would only be open from nodes that are attached to the local link, making it impossible contact from the internet. Barring some undisclosed vulnerability in the DHCPv6 client (which is the same binary as the default-open DHCPv4 client by the way), to me this is quite unfathomable. > So the zone intentionally does not allow ipv6. What sense does that make > if NM can add (and will) it anyways then? It doesn't make any sense. This patch is not required on a distribution that have a sane default firewall that allows DHCPv6 in the first place. I know that is the case for Ubuntu at least. The best solution would obviously be to just fix the default firewall in Fedora too, but the firewall infrastructure maintainer is refusing to make that change. To the best of my knowledge, he has not offered any explanation for his position, and have ignored all arguments against it. In short, he doesn't seem likely to change his mind any time soon. Therefore, a work-around for the broken default is necessary on Fedora, and this patch does exactly that. Best regards, -- Tore Anderson ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
On 03/07/2012 10:55 PM, Tore Anderson wrote: 3) I saw the following error message appear in the logs a few times: (p17p1) firewall zone add/change failed: (32) ZONE_ALREADY_SET It happens when you for example restart NM and it tells firewalld to add interface to zone, but firewalld already knows about this interface being part of the zone. ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
* Jiri Popelka > Yes and thank *you* to the outstanding work you've done in RHBZ#538499. Just a few itsy bitsy teenie weenie patches left to apply before NM/Fedora's IPv6 support is on par with Windows' and Mac OS X's... > We are talking about FirewallD [1] which should [2] be the default > firewall solution in F17. > However the latest version in F17 doesn't include the dhcpv6-client > service [3] > yet but some updates will follow soon. > > [1] https://fedorahosted.org/firewalld/ > https://fedoraproject.org/wiki/FirewallD/ > [2] https://fedorahosted.org/fesco/ticket/805 > [3] > https://fedorahosted.org/pipermail/firewalld-devel/2012-February/01.html Thanks, now I've gotten to test this properly on F17. Some observations: 1) Applying the patch on top of the latest NetworkManager SRPM doesn't allow the package to build correctly on F17, while it does on F16. In managed to solve this by adding the following three command above the first %configure step: aclocal --force libtoolize --force automake --force 2) FirewallD 0.2.2-1 has a serious problem in its default rule set that is preventing any form of IPv6 connectivity from ever working, see https://bugzilla.redhat.com/show_bug.cgi?id=801182 . 3) I saw the following error message appear in the logs a few times: (p17p1) firewall zone add/change failed: (32) ZONE_ALREADY_SET These occured while I was working on problem #2, so things couldn't have worked anyway. When I retried the connection after fixing that, the firewall hole for DHCPv6 in the public zone was successfully added. I don't know if this was a random success, or if the ZONE_ALREADY_SET failure was caused by problem #2 somehow. 4) NetworkManager itself defaults to ignoring IPv6 (in other words never starting DHCPv6) on wired ethernet connections. This prevents DHCPv6 from functioning out of the box even with the a fixed firewalld and your patch in place (or no firewall at all for that matter). See https://bugzilla.redhat.com/show_bug.cgi?id=798697 and http://mail.gnome.org/archives/networkmanager-list/2011-August/msg00063.html (only the last hunk of the patch is relevant for this particular issue). Best regards, -- Tore Anderson ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
Jiri Popelka wrote: > On 03/07/2012 10:26 AM, Ludwig Nussel wrote: >> Jiri Popelka wrote: >>> Tell firewall to allow dhcpv6-client service for the given zone prior >>> to starting dhcpv6 client. We don't need to wait for the response >> That looks odd to me. Why doesn't the zone config already allow dhcpv6 >> by default? > > That depends on what zone the interface belongs to. > If it's part of zone where the dhcpv6 is allowed by default (like "home" or > "work" zone) then this is of course not needed. > But the default zone is "public" where's at the moment only ssh service > allowed. Uh, ssh would probably be the last thing I'd allow in the public zone by default :-) So the zone intentionally does not allow ipv6. What sense does that make if NM can add (and will) it anyways then? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
On 03/07/2012 10:26 AM, Ludwig Nussel wrote: Jiri Popelka wrote: Tell firewall to allow dhcpv6-client service for the given zone prior to starting dhcpv6 client. We don't need to wait for the response That looks odd to me. Why doesn't the zone config already allow dhcpv6 by default? That depends on what zone the interface belongs to. If it's part of zone where the dhcpv6 is allowed by default (like "home" or "work" zone) then this is of course not needed. But the default zone is "public" where's at the moment only ssh service allowed. -- Jiri ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
Jiri Popelka wrote: > Tell firewall to allow dhcpv6-client service for the given zone prior > to starting dhcpv6 client. We don't need to wait for the response That looks odd to me. Why doesn't the zone config already allow dhcpv6 by default? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
On 03/06/2012 09:03 AM, Tore Anderson wrote: Hi Jiri, Tell firewall to allow dhcpv6-client service for the given zone prior to starting dhcpv6 client. We don't need to wait for the response because dhcp client keeps sending Solicit messages until it gets the response (i.e. until firewall opens the port). Thank you very much for looking into this, it is high time DHCPv6 is functional out of the box in Fedora. Yes and thank *you* to the outstanding work you've done in RHBZ#538499. I tested the patch on top of the NetworkManager-0.9.3.995-0.4.git20120302 SRPM, and it applies and compiles without any problems. However, it doesn't actually work for me - I get the «opening port for dhcpv6 client skipped (firewall not running)» message in my logs. I couldn't figure out how I go about starting the firewall-manager service (suggestions are welcomed), but in any case, if it isn't enabled by default, then DHCPv6 isn't going to work out of the box, which means no actual progress has been made. Or am I missing something here? We are talking about FirewallD [1] which should [2] be the default firewall solution in F17. However the latest version in F17 doesn't include the dhcpv6-client service [3] yet but some updates will follow soon. [1] https://fedorahosted.org/firewalld/ https://fedoraproject.org/wiki/FirewallD/ [2] https://fedorahosted.org/fesco/ticket/805 [3] https://fedorahosted.org/pipermail/firewalld-devel/2012-February/01.html -- Jiri ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] firewall-manager: allow dhcpv6-client service
Hi Jiri, > Tell firewall to allow dhcpv6-client service for the given zone prior > to starting dhcpv6 client. We don't need to wait for the response > because dhcp client keeps sending Solicit messages until it gets the > response (i.e. until firewall opens the port). Thank you very much for looking into this, it is high time DHCPv6 is functional out of the box in Fedora. I tested the patch on top of the NetworkManager-0.9.3.995-0.4.git20120302 SRPM, and it applies and compiles without any problems. However, it doesn't actually work for me - I get the «opening port for dhcpv6 client skipped (firewall not running)» message in my logs. I couldn't figure out how I go about starting the firewall-manager service (suggestions are welcomed), but in any case, if it isn't enabled by default, then DHCPv6 isn't going to work out of the box, which means no actual progress has been made. Or am I missing something here? Best regards, -- Tore Anderson ___ networkmanager-list mailing list networkmanager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
[PATCH] firewall-manager: allow dhcpv6-client service
Tell firewall to allow dhcpv6-client service for the given zone prior to starting dhcpv6 client. We don't need to wait for the response because dhcp client keeps sending Solicit messages until it gets the response (i.e. until firewall opens the port). --- src/Makefile.am|6 ++-- src/dhcp-manager/Makefile.am |2 + src/dhcp-manager/nm-dhcp-manager.c | 22 -- src/dhcp-manager/nm-dhcp-manager.h |1 + src/firewall-manager/nm-firewall-manager.c | 44 src/firewall-manager/nm-firewall-manager.h |2 + src/main.c | 14 src/nm-device.c|3 ++ 8 files changed, 81 insertions(+), 13 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index f46fbab..ae84f70 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -3,6 +3,7 @@ SUBDIRS= \ logging \ dns-manager \ vpn-manager \ + firewall-manager \ dhcp-manager \ ip6-manager \ supplicant-manager \ @@ -11,7 +12,6 @@ SUBDIRS= \ dnsmasq-manager \ modem-manager \ bluez-manager \ - firewall-manager \ wifi \ settings @@ -29,13 +29,13 @@ INCLUDES = -I${top_srcdir} \ -I${top_srcdir}/src/logging \ -I${top_srcdir}/src/dns-manager \ -I${top_srcdir}/src/vpn-manager \ + -I$(top_srcdir)/src/firewall-manager \ -I${top_srcdir}/src/dhcp-manager \ -I${top_srcdir}/src/ip6-manager \ -I${top_srcdir}/src/supplicant-manager \ -I${top_srcdir}/src/dnsmasq-manager \ -I${top_srcdir}/src/modem-manager \ -I$(top_srcdir)/src/bluez-manager \ - -I$(top_srcdir)/src/firewall-manager \ -I$(top_srcdir)/src/settings \ -I$(top_srcdir)/src/wifi \ -I${top_srcdir}/libnm-util \ @@ -298,6 +298,7 @@ NetworkManager_LDADD = \ ./logging/libnm-logging.la \ ./dns-manager/libdns-manager.la \ ./vpn-manager/libvpn-manager.la \ + ./firewall-manager/libfirewall-manager.la \ ./dhcp-manager/libdhcp-manager.la \ ./ip6-manager/libip6-manager.la \ ./supplicant-manager/libsupplicant-manager.la \ @@ -306,7 +307,6 @@ NetworkManager_LDADD = \ ./modem-manager/libmodem-manager.la \ ./bluez-manager/libbluez-manager.la \ ./wifi/libwifi-utils.la \ - ./firewall-manager/libfirewall-manager.la \ ./settings/libsettings.la \ ./backends/libnmbackend.la \ $(top_builddir)/libnm-util/libnm-util.la \ diff --git a/src/dhcp-manager/Makefile.am b/src/dhcp-manager/Makefile.am index ce34c41..4ef0185 100644 --- a/src/dhcp-manager/Makefile.am +++ b/src/dhcp-manager/Makefile.am @@ -7,6 +7,7 @@ INCLUDES = \ -I${top_srcdir}/src/generated \ -I${top_builddir}/src/generated \ -I${top_srcdir}/src/logging \ + -I${top_srcdir}/src/firewall-manager \ -I${top_srcdir}/libnm-util \ -I${top_builddir}/libnm-util \ -I${top_srcdir}/src @@ -58,6 +59,7 @@ libdhcp_manager_la_CPPFLAGS = \ libdhcp_manager_la_LIBADD = \ $(top_builddir)/src/logging/libnm-logging.la \ + $(top_builddir)/src/firewall-manager/libfirewall-manager.la \ $(builddir)/libdhcp-dhclient.la \ $(DBUS_LIBS) \ $(GLIB_LIBS) diff --git a/src/dhcp-manager/nm-dhcp-manager.c b/src/dhcp-manager/nm-dhcp-manager.c index 1af1b16..e483a7a 100644 --- a/src/dhcp-manager/nm-dhcp-manager.c +++ b/src/dhcp-manager/nm-dhcp-manager.c @@ -43,6 +43,7 @@ #include "nm-hostname-provider.h" #include "nm-dbus-glib-types.h" #include "nm-glib-compat.h" +#include "nm-firewall-manager.h" GQuark nm_dhcp_manager_error_quark (void) @@ -72,6 +73,7 @@ typedef struct { GHashTable *clients; DBusGProxy *proxy; NMHostnameProvider *hostname_provider; + NMFirewallManager *fw_mgr; } NMDHCPManagerPrivate; @@ -338,6 +340,8 @@ nm_dhcp_manager_new (const char *client, GError **error) singleton, NULL); + priv->fw_mgr = nm_firewall_manager_get(); + return singleton; } @@ -385,6 +389,7 @@ static NMDHCPClient * client_start (NMDHCPManager *self, const char *iface, const char *uuid, + const char *zone, gboolean ipv6, NMSettingIP4Config *s_ip4, NMSettingIP6Config *s_ip6, @@ -424,8 +429,16 @@ client_start (NMDHCPManager *self, g_return_val_if_fail (client != NULL, NULL); add_client (self, client); - if (ipv6) + if (ipv6) { + /* +* Tell firewall to allow dhcpv6-client service for the given zone prior +* to starting dhcpv6 client. We don't need to wait for the response +* because dh