Even if yunohost-firewall did not start there are closed ports shown by…
root@yuno:/etc# yunohost diagnosis show ports
reports:
description: Ports exposure
id: ports
items:
0:
details:
- Exposing this port is needed for email features (service postfix)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 25 is not reachable from the outside.
1:
details:
- Exposing this port is needed for web features (service nginx)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 80 is not reachable from the outside.
2:
details:
- Exposing this port is needed for web features (service nginx)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 443 is not reachable from the outside.
3:
details:
- Exposing this port is needed for email features (service postfix)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 587 is not reachable from the outside.
4:
details:
- Exposing this port is needed for email features (service dovecot)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 993 is not reachable from the outside.
5:
details:
- Exposing this port is needed for xmpp features (service metronome)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 5222 is not reachable from the outside.
6:
details:
- Exposing this port is needed for xmpp features (service metronome)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 5269 is not reachable from the outside.
7:
details:
- Exposing this port is needed for [?] features (service ssh)
- To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
status: ERROR
summary: Port 27775 is not reachable from the outside.
Yes i edited it by hand (trying to open the ports for minidlna) Isn’t that a reason why yaml is used for configuration files, so it is editable manually?
It seems the yunohost firewall didn’t work for a while.
I like the simplicity of yunohost, but I miss transparency. For example which ports will be opened by which app. Or - how can I reset the yunohost-firewall - which seems to be an interface for iptable and not a firewall - to default state?
After using an old version of firewall.yml the yunohost-firewall service could be started from the web interface.
But asking
yunohost diagnosis show
said:…
25:
details: You can try to restart the service, and if it doesn't work, have a look at the service logs in the webadmin (from the command line, you can do this with 'yunohost service restart yunohost-firewall' and 'yunohost service log yunohost-firewall').
status: ERROR
summary: Service yunohost-firewall is failed :(
...
Even if I restart it with
yunohost service restart yunohost-firewall
On https://[mydomain]/yunohost/admin/#/services/yunohost-firewall I can see the firewall is working fine.
Is it working or isn’t it? The question is: Does the command line diagnosis or the diagnosis of the web interface fail?
This yunohost firewall interface is not a solution, it is a problem. Better using
No, it’s used because it’s a well-known format to store bits of configuration. And yes maybe if you absolutely know what you’re doing, it’s convenient that it can be edited by hand, but the primary mean of interaction should be the webadmin and the yunohost cli. It’s not like we’re going to pick a storage format that is by design “obscure” to discourage people from editing stuff when apparently they already complain about “missing transparency”
I don’t know what transparency you really expect. There’s a simple interface in the webadmin to manipulate the firewall setting, or same from the yunohost firewall cli if cli really is your jam. But at the end of the day, yes, YunoHost is an abstraction, and abstractions are always a tradeoff between usability and knowing what’s under the hood. I use Linux Mint on my desktop computer, and I’m not like “Linux Mint ain’t transparent, i don’t know how it configures stuff!” because stuff just works and that’s what Linux Mint is about, and I’m not gonna try to mess with Linux Mint config files by hands without expecting that stuff blows up if I misconfigure something …
Only a handful of apps actually do need to open ports on the firewall. Typically they will mention this in the preinstall or postinstall notes, or that will at least be reported in the diagnosis and firewall ui afterward
The diagnosis doesn’t refresh the result everytime you run “show”, because running all the diagnosis stuff ain’t “free” in terms of time / requests, you have to explictly re-“run” it
Sure, if that’s your jam … cf. the discussion about abstractions
How is that? What do you propose?
YunoHost firewall is perfect for my usage, it never failed me during the last 3 years. It’s interface is very clear and simple and it does what it is supposed to do.
If you don’t like it, stop using it, install your own firewall and use it. Ignore the diagnosis warning about the yunohost firewall.
I have tried to ignore the not active yunohost-firewall, but app updates does not work any more if yunohost-firewall is not running. After activating the yunohost-firewall again updates worked fine.
As Aleks wrote the
yunohost diagnosis show
did not rerun the diagnosis. But
yunohost diagnosis run
does. So I was a little bit confused about this outdated information.
Thanks for your help!
I have installed a dlna-server manually (minidlna), so I have to enable tcp and udp for port 5001.
root@yuno:/etc/yunohost# yunohost firewall allow Both 5001
Traceback (most recent call last):
File "/usr/bin/yunohost", line 77, in <module>
yunohost.cli(
File "/usr/lib/python3/dist-packages/yunohost/__init__.py", line 41, in cli
ret = moulinette.cli(
File "/usr/lib/python3/dist-packages/moulinette/__init__.py", line 110, in cli
Cli(
File "/usr/lib/python3/dist-packages/moulinette/interfaces/cli.py", line 500, in run
ret = self.actionsmap.process(args, timeout=timeout)
File "/usr/lib/python3/dist-packages/moulinette/actionsmap.py", line 574, in process
return func(**arguments)
File "/usr/lib/python3/dist-packages/yunohost/firewall.py", line 98, in firewall_allow
and port in firewall["uPnP"][p + "_TO_CLOSE"]
TypeError: argument of type 'NoneType' is not iterable
The same result, if I try to use the web-interface for enabling the port. Enabling tcp works, but enabling udp or both did not.