Bug 448407 - Contradictory firewall status information with nftables / firewalld and Plasma System Settings Firewall
Summary: Contradictory firewall status information with nftables / firewalld and Plasm...
Status: RESOLVED FIXED
Alias: None
Product: systemsettings
Classification: Applications
Component: kcm_firewall (show other bugs)
Version: 5.23.5
Platform: Arch Linux Linux
: NOR normal
Target Milestone: ---
Assignee: Lucas Biaggi
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-13 22:51 UTC by Lyubomir
Modified: 2022-02-21 19:07 UTC (History)
3 users (show)

See Also:
Latest Commit: https://invent.kde.org/plasma/plasma-firewall/-/commit/5f24d46d815fc982dcc0d67425447d6dad34120b
Version Fixed In: 5.25
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Lyubomir 2022-01-13 22:51:16 UTC 
SUMMARY
I've got both iptables, nftables and firewalld installed. Cannot remove iptables because it is a dependency of systemd.

The issue is that the Plasma Firewall inside the System Settings shows that the "Default Incoming Policy" and "Default Outgoing Policy" are "Allow", when this is not true in practice. The currently used connection is using the wlp3s0 interface.

------------------------------------------------------------------------------------------------------------------------------------------------------------
Output of iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

------------------------------------------------------------------------------------------------------------------------------------------------------------
Output of firewall-cmd --get-active-zones
public
  interfaces: wlp3s0
trusted
  interfaces: lo

------------------------------------------------------------------------------------------------------------------------------------------------------------
Output of firewall-cmd --info-zone=public
public (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: wlp3s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

OBSERVED RESULT
Plasma Firewall shows that the "Default Incoming Policy" and "Default Outgoing Policy" are "Allow".

EXPECTED RESULT
Plasma Firewall should show that the "Default Incoming Policy" is "Drop" and "Default Outgoing Policy" is "Allow".

SOFTWARE/OS VERSIONS
firewalld 1.0.2-2
iptables 1:1.8.7-1
nftables 1:1.0.1-3
Operating System: Arch Linux
KDE Plasma Version: 5.23.5
KDE Frameworks Version: 5.90.0
Qt Version: 5.15.2
Kernel Version: 5.15.13-zen1-1-zen (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i5-8250U CPU @ 1.60GHz
Memory: 7,6 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics 620
Comment 1 Lyubomir 2022-01-13 23:00:58 UTC 
nft list tables gives only:
table inet firewalld
Comment 2 Lucas Biaggi 2022-01-19 15:46:59 UTC 
Today the default policies are hardcoded, I will fix it on weekend.
Comment 3 Nate Graham 2022-02-21 19:07:33 UTC 
Fixed by Lucas Biaggi with https://invent.kde.org/plasma/plasma-firewall/-/commit/5f24d46d815fc982dcc0d67425447d6dad34120b in Plasma 5.25!