firewalld question

David david at daku.org
Sun Mar 13 23:43:07 UTC 2022 

Folks
I'm running Ubuntu 20.04.4 as both the host and a VirtualBox 
guest.  The host, acting as an household gateway, has two network 
adaptors, which I think of as "external" and "internal", the latter 
connecting to other devices in my home with an ip address of 192.168.155.1/24.

The guest's network is bridged to the internal adaptor, and has an IP 
address (192.168.155.111) that is within the range defined for the 
internal adaptor.  The guest's SSHD monitors both port 22 and 11022 
with two Port statements in the sshd.conf file.

With the firewall enabled in the guest(systemctl start firewalld), 
SSH access from the host to the guest works for port 11022, but fails 
for port 22 (telnet reports "unable to connect to remote host, 
connection refused).  Access to other enabled ports (tested by 
telnet) from the host work with the firewall enabled.

With the firewall disabled in the guest (systemctl stop firewalld), 
SSH access from the host to the guest works for both port 11022 and 22.
Below is the guest firewall configuration (output of "firewall-cmd 
--list-all-zones".  I cannot account for this behavior.  Is there 
something wrong with the firewall configuration?
I observe the same unaccountable behavior if the guest is running Ubuntu 21.10.
Thanks for your help.

David


block
   target: %%REJECT%%
   icmp-block-inversion: no
   interfaces:
   sources:
   services:
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
dmz
   target: default
   icmp-block-inversion: no
   interfaces:
   sources:
   services: ssh
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
drop
   target: DROP
   icmp-block-inversion: no
   interfaces:
   sources:
   services:
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
external
   target: default
   icmp-block-inversion: no
   interfaces:
   sources:
   services: ssh
   ports:
   protocols:
   masquerade: yes
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
home
   target: default
   icmp-block-inversion: no
   interfaces:
   sources:
   services: dhcpv6-client mdns samba-client ssh
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
internal
   target: default
   icmp-block-inversion: no
   interfaces:
   sources:
   services: dhcpv6-client mdns samba-client ssh
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
public (active)
   target: default
   icmp-block-inversion: no
   interfaces: enp0s17
   sources:
   services: dhcpv6-client mdns
   ports: 11022/tcp 11080/tcp 11443/tcp 22/tcp 25/tcp 587/tcp 993/tcp 995/tcp
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
trusted (active)
   target: ACCEPT
   icmp-block-inversion: no
   interfaces: lo
   sources:
   services:
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
	
work
   target: default
   icmp-block-inversion: no
   interfaces:
   sources:
   services: dhcpv6-client ssh
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:

More information about the ubuntu-users mailing list