the first...(i removed my external ips and some macs)
Code:
[root@Bor daniel]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether xxxx brd xxxx
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: enp7s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global noprefixroute enp7s0f0
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fe28:a2c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: enp7s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet xx.xx.xx.xx brd xx.xx.xx.xx scope global dynamic noprefixroute enp7s0f1
valid_lft 4975sec preferred_lft 4975sec
inet6 xx:xx:xx:xx:xx scope link noprefixroute
valid_lft forever preferred_lft forever
the other...
Code:
[root@Bor daniel]# ss -tlpn | grep smb
LISTEN 0 50 0.0.0.0:445 0.0.0.0:* users:(("smbd",pid=1915,fd=31))
LISTEN 0 50 0.0.0.0:139 0.0.0.0:* users:(("smbd",pid=1915,fd=32))
LISTEN 0 50 [::]:445 [::]:* users:(("smbd",pid=1915,fd=29))
LISTEN 0 50 [::]:139 [::]:* users:(("smbd",pid=1915,fd=30))
one of the checks i did was add this to the trusted zone and check if i could connect through. that defaults to accept. it did not. i also took it down and was able to connect through...back up, no joy again...and i also checked the output of nftables the best i could and found no rules being put through.
right now i am reasonably certain that my server is secure otherwise i would pull it down. i might try putting the backend to iptables and see if that works with firewalld but more than likely, it will not. the problem is firewalld sending rules to nftables and nftables acting accordingly. i know that nftables is the backend to firewalld because it is in the config file.
here are things i dont know/understand yet how they work...basically i am trying to understand why this is failing and while i did a great deal of research on it, i was not able to answer all questions. here are some lingering ones...
1. i thought firewalld was a standalone with the ability to also work with iptables and nftables. so in the config file if i go backend="" or remove that line, will firewalld work or is it just a frontend to the two backends?
2. since nftables is the backend to firewalld, should that be a running service? ...because it is not right now...
there are some more i cannot think of right now.
that post, while it sounds similar is not. nftables didnt take over the fedora world until after 31. i believe it was 32 that started with nftables instead of iptables. that thread was 30/31 issues. but thanks for that ferrari. i appreciate the help...
at any rate, i have come up with a solution of sorts, to stop using firewalld and nftables. i am switching firewalls to one of my favorites because i cannot control the one it works with.
