From kde-core-devel Tue Jan 26 16:15:47 2021 From: Kevin Kofler Date: Tue, 26 Jan 2021 16:15:47 +0000 To: kde-core-devel Subject: Re: Plasma Firewall on KDE Review Message-Id: X-MARC-Message: https://marc.info/?l=kde-core-devel&m=161167777328927 Hi, Am Dienstag, 26. J=C3=A4nner 2021 16:17:27 CET schrieb Tomaz Canabrava: > There's one thing that's a bit annoying while working on firewalld: > > ~ on =EE=82=A0 master =E2=8C=9A 15:08:53 > $ firewalld --help > You need to be root to run /usr/bin/firewalld. firewalld starts the actual daemon, which needs to run as root. The way to interact with the daemon (which may or may not require root permissions depending on what you want to do with it and on what PolicyKit policies are set) is using the firewall-cmd command. (That, or just use the D-Bus=20 interface directly, which is all firewall-cmd does. You'd avoid having to scrape CLI output that way.) There is also the firewall-offline-cmd command, which has limited support=20 for configuring firewalld without talking to an actual firewalld instance. This=20= is mainly designed for installers and other chroot environments. But firewall-offline-cmd always needs root permissions. firewall-cmd --get-services gets me a list of available services, and does not require root at least=20 for me. (I get neither an error message nor a PolicyKit password prompt.) Note that this is NOT the same as: firewall-cmd --list-services which is the list of services actually enabled (allowed) in the currently enabled zone, and which automatically brings up a PolicyKit prompt for a=20 root password before returning the list. Also note that a firewalld service is not necessarily just a list of ports. Firewalld also supports "protocols", "modules", and "helpers", which are dynamic firewall rules. (That is the main reason why the userspace daemon=20 is needed at all.) So there are services (e.g., samba) for which you will not=20= be able to generate rules in your existing internal (iptables-like) format,=20 they will only fully work if you actually use the service name. Try, e.g.: firewall-cmd --info-service=3Dssh firewall-cmd --info-service=3Dsamba (which bring up a PolicyKit password prompt) to see what those services actually are. (But as I explained above, Plasma Firewall should not=20 actually use that, it should just directly enable the service by its name.) Kevin Kofler