qomui
qomui copied to clipboard
Firewall still activated after exiting the app.
I have it set to have firewall running only when the gui is running but often after I close it.. It's still running so sometimes I have to uncheck the activate firewall setting in order for it to deactivate.
Have you checked preserve pre-existing firewall rules, too? How do you know Qomui's firewall rules are still running? Can you post the output of "sudo iptables -S" when this occurs?
Check out v0.8.2. Firewall handling should be far more robust now.
@concepthf - do you close qomui from the tray or via the 'x' when the gui is visible?
I got into a similar situation too, OpenSUSE Tumbleweed, qomui v0.8.2. I have the "activate firewall only when GUI is running" and the systemd service is disabled.
If I uncheck the "preserve pre-existing firewall rules" these rules are applied on start of the application
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 255.255.255.255/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255/32 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j DROP
Then when I exit the application (either from tray or from the X of the GUI), the same rules remain in effect, and of course I can't access the Internet anymore.
To get out of this situation I need to restart the firewall application from Yast, so that it overwrites the rules with ones generated from its own configuration file. (and I see this happening with iptables -S )
If I close the application with both "activate firewall only when GUI is running" "preserve pre-existing firewall rules" checked, then I see that the original firewall rules are restored, and I have internet access again.
I assume that "activate firewall only when GUI is running" means that the rules you use to block the network access outside the VPN should be dropped when I close the GUI. This does not happen in my test unless I also check the "preserve pre-existing firewall rules".
Imho with the usecase of "activate firewall only when GUI is running" you should ALWAYS preserve existing firewall rules. Or you risk ending up in a situation where the user shuts down the application and is left with a disabled (unsafe?) firewall on the PC. Maybe add a few lines to warn about this risk.
With Qomui 0.8.2 the behaviour is fine for me.
I'm on Linux Mint 19.2 and with Qomui 0.8.3 installed via PPA. My ufw firewall in Linux Mint is deactivated. I have Activated the Firewall in Qomui and the Options "Activate firewall only when GUI is running". My expected behaviour is that I can access the Internet when the GUI is closed. But instead the Firewall stays like it is and I can not access the Internet.
I think something got mixed up in the firewall switches.
For example: Firewall is deactivated. Connect to a server and in iptables the line will be added
-A OUTPUT -d XXX.XXX.XXX.XX/32 -j ACCEPT
then activate the Options "Activate firewall only when GUI is running"
an the line above will be deleted in the iptables even though you're still connected to the server. Then you Quit Qomui and the line will be added to the iptables again, even though you are not connected to the server and the GUI is closed an the firewall should be deactivated.
Everytime you change something with the firewall it looks like it jumps to the wrong code block.