On Wed, Jan 11, 2023 at 8:14 AM Marc Chamberlin <marc@marcchamberlin.com> wrote:
On 1/10/23 20:13, Andrei Borzenkov wrote:
On 10.01.2023 23:38, Marc Chamberlin wrote:
On 1/9/23 14:26, Carlos E. R. wrote:
On 2023-01-09 23:23, Marc Chamberlin wrote:
Hi - I am running an OpenSuSE 15.4 x64 using Firewalld with iptables as the backend.
firewall-cmd -V 0.9.3
I also use Knockd and port knocks to open and close various ports on this system. (and yes I understand the drawbacks of using port knocking!) The trouble is, Firewalld is blocking the knocks and preventing the knockd.service daemon from hearing them. Maybe just open the ports used for knocking?
Thanks Carlos for your reply, yeah I tried that already You forgot to show your firewalld configuration that you tried.
😁, no joy... 😭
Hi Andrei, I am not sure which firewalld configuration file you want me to show, You claimed you "tried to open ports". You show whatever you did to make firewalld to open ports.
but I will take a stab at it and show /etc/firewalld/firewalld.conf (without comments) Which has nothing to do with opening ports.
Let me know if you want to see the Zone file(s) or anything else. Again - you need to show what you did to open ports. Andrei - I am not sure how to show you what I did to open the ports, unless you want me to send you a bunch of screen capture photos. I used
On 1/10/23 22:46, Andrei Borzenkov wrote: the firewall-config GUI, selected my internal zone, and then added the ports I knock on to the Ports section of the GUI. I also selected the TCP protocol because that is what my knock client is using to send the knocks to these ports. This did not work. If the knockd.service daemon had heard the knocks then it would have used the following command configuration to open that actual port for the service I am trying to access. For example, for SSH, I send the port knock sequence to the ports xxxx,yyyy,zzzz (obscured) and it is these same ports I tried to add to the firewall-config->internal->Ports [SSH] sequence = xxxx,yyyy,zzzz seq_timeout = 15 tcpflags = syn start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 300 stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT This has and does work on OpenSuSE 15.3 without the need to add the knock ports to firewall. It appears that firewalld has changed somehow in OpenSuSE 15.4 and is blocking the knockd.service daemon from hearing them. Something unexpected is happening, it also appears that firewalld.service itself is not hearing the knocks. I added the firewalld debug argument to the list of arguments sent to the firewalld app, and monitored the output to the firewalld log file. No messages about the knocks are reported to the log file! Marc.. P.S. to all who shared their opinion about my signature, think of it as art. Many artists break the rules, Picasso certainly comes to mind! So I too break a few rules when my artistic side shows up! 😉 -- *"The Truth is out there" - Spooky* *_ _ . . . . . . _ _ . _ _ _ _ . . . . _ . . . . _ _ . _ _ _ . . . . _ _ . _ . . _ . _ _ _ _ . _ . _ . _ . _ . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/This email is digitally signed and the OpenPGP electronic signature is added as an attachment. If you know how, you can use my public key to prove this email indeed came from me and has not been modified in transit. My public key, which can be used for sending encrypted email to me also, can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand all this geek speak, no worries, just ignore this explanation and ignore the OpenPGP signature key attached to this email (it will look like gibberish if you open it) and/or ask me to explain it further if you like./)