1

This makes rebooting very annoying.

How can I setup my firewall setting in /etc/rc.local so that at reboot I will not get prompted to enter my password? (OS is Ubuntu 18.04)

I would like my network interface p2p1 permanently assigned to zone trusted, but somehow this is not sticking. (I found a related post with someone else having a similar issue https://access.redhat.com/discussions/2779921.)

So I added these lines to /etc/rc.local and now with every reboot I need to answer 3 extra times with the login password:

# assign p2p1 to trusted zone
firewall-cmd --permanent --change-zone=p2p1 --zone=trusted
# restart network and firewall services
service network-manager restart
firewall-cmd --reload

Is there a better way to do this? NetworkManager is controlling the device: 

sudo nmcli dev status 
  DEVICE  TYPE      STATE        CONNECTION   
  eth0    ethernet  connected    netplan-eth0 
  p2p1    ethernet  connected    netplan-p2p1 
  wlan0   wifi      unavailable  --           
  lo      loopback  unmanaged    --

I am using netplan for the network configuration. This is my netplan 01-netcfg.yaml file

network:
    version: 2
    renderer: NetworkManager
    ethernets:
#       WAN
        eth0:
            dhcp4: no
            dhcp6: no
            addresses: [76.80.54.221/29]
            gateway4: 76.80.54.217
            nameservers:
                addresses: [209.18.47.61,209.18.47.62]
#       LAN
        p2p1:
            dhcp4: no
            dhcp6: no     
            addresses: [192.168.4.5/24]
            gateway4: 192.168.4.1

Update:

This it the authentication prompt I am getting during boot-up:

Authentication Required

System policy prevents changing the firewall configuration

Doing some more digging I found this post. So I removed the above attempted fix and implemented this new suggestion:

Created a systemd unit file as a temporary fix: /etc/systemd/system/myzones.service

[Unit]
Description=Custom Zones
After=network.target network.service

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/nmcli connection modify eth0 connection.zone public
ExecStart=/bin/nmcli connection modify p2p1 connection.zone internal

[Install]
WantedBy=multi-user.target

Then I enabled the service and rebooted

systemctl daemon-reload
systemctl enable myzones.service
reboot

I got the same outcome. It prompted me just like before for the password at boot-up.

I forgot to mention. I do have Webmin installed. I am not sure if that could be blocking configuration changes to the network devices zone settings.

I implemented the suggestion found on this page but still get Authentication Required

 sudo chown root /etc/systemd/system/myzones.service
 sudo chmod +s /etc/systemd/system/myzones.service

I did press the F2 key during boot to see what is going on and found an error. The error reads:

...
[FAILED] failed to start custom zones.
see 'systemctl status myzones.service' for details.
...
[FAILED] failed to start Samba NMB Daemon.
see 'systemctl status smbd.service' for details.

I ran sudo journalctl -xe and got this:

...
lines 1242-1264/1264 (END)
Aug 21 07:54:54 courtens.org postfix/master[2584]: warning: /usr/lib    /postfix/sbin/smtpd: bad command startup -- throttling
Aug 21 07:55:04 courtens.org postfix/local[4968]: error: open database /etc/aliasesmyhostname.db: No such file or directory
Aug 21 07:55:04 courtens.org postfix/local[4968]: fatal: open dictionary: expecting "type:name" form instead of "="
Aug 21 07:55:05 courtens.org postfix/master[2584]: warning: process /usr/lib/postfix/sbin/local pid 4968 exit status 1
Aug 21 07:55:05 courtens.org postfix/master[2584]: warning: /usr/lib/postfix/sbin/local: bad command startup -- throttling
Aug 21 07:55:26 courtens.org dbus-daemon[2715]: [session uid=1000 pid=2715] Activating via systemd: service name='org.gnome.Terminal' unit='gnome-terminal-server.service' requested 
Aug 21 07:55:26 courtens.org systemd[2411]: Starting GNOME Terminal Server...
-- Subject: Unit UNIT has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit UNIT has begun starting up.
Aug 21 07:55:26 courtens.org dbus-daemon[2715]: [session uid=1000 pid=2715] Successfully activated service 'org.gnome.Terminal'
Aug 21 07:55:26 courtens.org systemd[2411]: Started GNOME Terminal Server.
-- Subject: Unit UNIT has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit UNIT has finished starting up.
-- 
-- The start-up result is RESULT.
Aug 21 07:55:39 courtens.org sudo[5015]: nathaniel : TTY=pts/0 ; PWD=/home/nathaniel ; USER=root ; COMMAND=/bin/journalctl -xe
Aug 21 07:55:39 courtens.org sudo[5015]: pam_unix(sudo:session): session opened for user root by (uid=0)

What is suggested I do? Thank you.

MeSo2
  • 399
  • 1
  • 8
  • 23
  • Hopefully this might help you: https://askubuntu.com/questions/335433/why-doesnt-sudo-need-password-when-used-in-rc-local – WinEunuuchs2Unix Aug 19 '18 at 17:27
  • @WinEunuuchs2Unix Thank you for the link. I added these 3 lines of code inside rc.local without sudo in front. Is this what is causing the problem - or is it that NetworkManager will ask for password no matter what? – MeSo2 Aug 19 '18 at 17:36
  • Definitely never use `sudo` inside `/etc/rc.local` as it is already running at sudo level. I use `systemctl restart NetworkManager.service` instead of the method you use. – WinEunuuchs2Unix Aug 19 '18 at 17:44
  • Is it that I need to call inside `rc.local` for a script file outside of `rc.local` to not have to enter passwords? Stepping back, somehow the real problem is that `firewall-cmd --runtime-to-permanent` is not sticking after a reboot. – MeSo2 Aug 19 '18 at 17:59
  • I wonder if there is a policy kit issue going on? Not the perfect link but see this: https://bugzilla.redhat.com/show_bug.cgi?id=1375655 – WinEunuuchs2Unix Aug 19 '18 at 18:03
  • @WinEunuuchs2Unix I updated my post - see under **Update**. I am now thinking that I need to find a solution to this problem by changing the _System policy_ as this it what is preventing the change to the firewall configuration. (On a separate note, I did have Ubuntu MATE installed alongside 17.04. I removed MATE before the 18.04 upgrade, but I still see some remnants of MATE. During boot-up I have the MATE splash-page logo still showing.) OR -- perhaps using `NM_CONTROLLED=no` to prevent NetworkManager from taking control, and find a different way to setup the devices is better? – MeSo2 Aug 20 '18 at 15:37
  • @WinEunuuchs2Unix thank you for all you suggestions. I finally found a workaround. Please up my solution, I need the extra points. Thank you. – MeSo2 Jan 04 '19 at 04:20

1 Answers1

0

I finally was able to find a workaround.

I needed to add a script to the /ect/network/if-up.d folder that sets a different zone besides the default firewall zone to my adapter p2p1. See here for the solution.

MeSo2
  • 399
  • 1
  • 8
  • 23