Hello!
Of course firewalling is complicated and I am not surprised I have stopped more than I intended. I hope I can get some pointers here to resolve the problem.
I wanted to close off my Volumio RPi 3B from the world entirely and just allow in/out traffic inside my local LAN (WLAN is deactivated). Since iptables was pre-installed I downloaded ufw and started by blocking all outgoing (incoming block is implemented by default):
ufw default deny outgoing
Then I allowed to and from my various devices to the RPi, as in
ufw allow from [device IP]
and
ufw allow to [device IP]
and also did the same with the IP address to/from FreeNAS where I have my music.
I also did
ufw allow CIFS
But there are still problems mounting the share. Anyone have an idea of what is going on? All was working fine before implementing the firewall, so the problem lies there somewhere.
Hi!
I did flash the current version from 2 days ago. Regrettably none of the above 3 options above worked. I have nothing else in advanced options, and before I activated the firewall, I did not need anything to create a share and get it mounted.
If I disable ufw the share mounts immedtialy if I go to edit-> save.
(vers=2.0 was need when I was trying RuneAudio last week without firewall, if that is of any information)
well, the advanced options are needed with the newest versions, but you might have another issue on top of that.
Difficult to diagnose form outside, firewalls are tricky with punching ports and opening up protocols.
I’ll reflash tomorrow and start from scratch. Would you have a suggestion as to what logs to investigate alongside the punching? I could not find any syslog.log and neither kern.log, and volumio.log seems to just log info: messages, nothing really to suggest why a connection is not established.
Unfortunately I don’t have much experience with UFW/ firewall.
I do not really know if specifying “CIFS” means opening port 445, this one you definitely need.
In case that does not work, you could try port 137-139 as well (NETBIOS), both upd and tcp
Thanks! I was also thinking in terms of messages that volumio or its subsystem could be logging somewhere I couldn’t find when it can’t make a connection or such.
you could do
sudo journalctl -f
in an SSH session and see what happens when you add the share via the UI.
Or do
sudo journalctl -b
afterwards
Or submit a log via the “volumio.local/dev” page and PM me the URL that is returned to you.
Hello!
Thanks very much for your help and patience, gkkpch!
I managed to solve it, and I report back here for the benefit of others who might be making the same dorky mistake as I did.
First mistake was to assume rsyslog was installed just because there was present an rsyslog.d directory with a config file for ufw. I would guess the entire directory was created when I installed ufw, not just the config file. So I had to install rsyslog in order to have dedicated ufw logs to look at.
Second, and this was my main mistake, when I did ufw allow from for the incoming rules I did not realise this is shorthand for ufw allow in from. I over-interpreted the to/from to mean direction in relation to the firewall, not just in relation to the following IP. That mistake made me think I could do ufw allow to in order to specify an outgoing rule. But that just became another incoming rule making no sense. Instead I had to do ufw allow out to. With such rule corrections I succeeded in walling off the Pi with a functional Volumio.