Bug 448407

Summary: Contradictory firewall status information with nftables / firewalld and Plasma System Settings Firewall
Product: [Applications] systemsettings Reporter: Lyubomir <liubomirwm>
Component: kcm_firewallAssignee: Lucas Biaggi <lucas.biaggi>
Status: RESOLVED FIXED    
Severity: normal CC: lucas.biaggi, nate, tcanabrava
Priority: NOR    
Version First Reported In: 5.23.5   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: https://invent.kde.org/plasma/plasma-firewall/-/commit/5f24d46d815fc982dcc0d67425447d6dad34120b Version Fixed/Implemented In: 5.25
Sentry Crash Report:

Description Lyubomir 2022-01-13 22:51:16 UTC 
SUMMARY
I've got both iptables, nftables and firewalld installed. Cannot remove iptables because it is a dependency of systemd.

The issue is that the Plasma Firewall inside the System Settings shows that the "Default Incoming Policy" and "Default Outgoing Policy" are "Allow", when this is not true in practice. The currently used connection is using the wlp3s0 interface.

------------------------------------------------------------------------------------------------------------------------------------------------------------
Output of iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

------------------------------------------------------------------------------------------------------------------------------------------------------------
Output of firewall-cmd --get-active-zones
public
  interfaces: wlp3s0
trusted
  interfaces: lo

------------------------------------------------------------------------------------------------------------------------------------------------------------
Output of firewall-cmd --info-zone=public
public (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: wlp3s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

OBSERVED RESULT
Plasma Firewall shows that the "Default Incoming Policy" and "Default Outgoing Policy" are "Allow".

EXPECTED RESULT
Plasma Firewall should show that the "Default Incoming Policy" is "Drop" and "Default Outgoing Policy" is "Allow".

SOFTWARE/OS VERSIONS
firewalld 1.0.2-2
iptables 1:1.8.7-1
nftables 1:1.0.1-3
Operating System: Arch Linux
KDE Plasma Version: 5.23.5
KDE Frameworks Version: 5.90.0
Qt Version: 5.15.2
Kernel Version: 5.15.13-zen1-1-zen (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i5-8250U CPU @ 1.60GHz
Memory: 7,6 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics 620
Comment 1 Lyubomir 2022-01-13 23:00:58 UTC 
nft list tables gives only:
table inet firewalld
Comment 2 Lucas Biaggi 2022-01-19 15:46:59 UTC 
Today the default policies are hardcoded, I will fix it on weekend.
Comment 3 Nate Graham 2022-02-21 19:07:33 UTC 
Fixed by Lucas Biaggi with https://invent.kde.org/plasma/plasma-firewall/-/commit/5f24d46d815fc982dcc0d67425447d6dad34120b in Plasma 5.25!