1

I setup Fedora Server 25 in a VM and used SaltStack to install NextCloud via this walk-thru. The issue I am having is the firewall is too restrictive and is blocking ports 22, 80 and 443. Per the walk-thru creator's suggestion, I edited the SaltStack "nextcloud.sls" file as follows, but it did not help:
#line108 FedoraServer: firewalld.present: - name: FedoraServer - block_icmp: - echo-reply - echo-request - default: False - masquerade: True - ports: - 22/tcp - 80/tcp - 443/tcp - 9090/tcp

What can I do to open these ports so I don't have to keep stopping the firewalld service at each boot? Thank you.
EDIT: So, even after removing - firewalld from the nextcloud.sls script (under install_network_packages: pk.installed:the firewall is still starting up and blocking all the ports I need. There must be something else in Fedora Server that is overriding the SaltStack script and enabling the firewall...??

KidACrimson
  • 320
  • 1
  • 10
  • 24
  • Will this help ? I am not familiar with fedora firewall salt config https://docs.saltstack.com/en/latest/topics/tutorials/firewall.html – mootmoot Apr 13 '17 at 16:59

2 Answers2

1

I don't know SaltStack, but you should be able to permanently open the required ports via firewall-cmd. For example, to permanently open ssh, try the following:

firewall-cmd --add-service=ssh; firewall-cmd --add-service=ssh --permanent

For enabling ICMP and the other services:

firewall-cmd --remove-icmp-block=echo-request
firewall-cmd --remove-icmp-block=echo-request --permanent
firewall-cmd --remove-icmp-block=echo-reply
firewall-cmd --remove-icmp-block=echo-reply --permanent
firewall-cmd --add-service=http
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https
firewall-cmd --add-service=https --permanent
firewall-cmd --add-port=9090/tcp
firewall-cmd --add-port=9090/tcp --permanent

I suggest you to first try without the permanent rules. If all works correctly, you can issue the permanent rules and reboot the machine.

shodanshok
  • 44,038
  • 6
  • 98
  • 162
-2

Why have the firewall on the same server as NextCloud instance? Why not just control port traffic from your network firewall? You could just create a zone for that server and control what goes in and out of it from network level.

saleetzo
  • 103
  • 7
  • 3
    1) this doesn't answer the OP's question 2) defense in depth is very much a desirable thing. – EEAA Apr 13 '17 at 03:03
  • 1
    Just as EEAA said, it's for layered security. We of course have a perimeter firewall and I "could" run this VM without a software firewall, but I'd much prefer not to. – KidACrimson Apr 13 '17 at 13:15