Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Richard PetersenBeginning Fedora Desktophttps://doi.org/10.1007/978-1-4842-3882-0_14

14. Network Configuration

Richard Petersen¹

(1)

Alameda, California, USA

Network configuration is managed by Network Manager. Network configuration differs, depending on the kind of connection you have, such as a wired connection (Ethernet), a DSL modem, or a wireless connection. The GNOME Settings Wi-Fi and Network tabs are the primary network configuration tools for Fedora, which can be used to configure all your network connections manually. You can configure a variety of network connections, including wired settings, DSL, and WiFi, for the IPv4 and IPv6 protocols. Table 14-1 lists several different network configuration tools.

Network Information : Dynamic and Static

Most networks now support dynamic configuration using either the older Dynamic Host Configuration Protocol (DHCP) or the new IPv6 protocol and its automatic address configuration. In this case, you need only check the DHCP or automatic entry in most network configuration tools. For DHCP, a DHCP client on each host will obtain network connection information from a DHCP server serving that network. IPv6 generates its addresses directly from the device and router information, such as the device hardware MAC address.

Table 14-1

Fedora Network Configuration Tools

Network Configuration App	Description
Network Manager	Automatically configures wireless and wired network connections. Can also manually edit them.
GNOME Settings WiFi	GNOME Settings WiFi configuration tab (Settings ➤ Wi-Fi).
GNOME Settings Network	GNOME Settings Network configuration tab, used for wired, VPN, and Proxy connections (Settings ➤ Network).
nm-connection-editor	Network Connections: the older Network Manager configuration utility.
kde-plasma-networkmanagement	KDE version of Network Manager.
firewall-config	Sets up a network firewall using FirewallD server.
system-config-firewall	Sets up a network firewall using IPtables.
wvdial	PPP modem connection, enter on a command line.
wconfig	Wireless connection, enter on a command line.

If you have a static connection (no DHCP or IPv6 support), you have to provide connection information such as your IP address and DNS servers. If you are using a DSL dynamic, ISDN, or modem connection, you will also have to supply provider, login, and password information, whether your system is dynamic or static. You may also have to supply specialized information, such as DSL or modem compression methods or a dial-up number. You can obtain most of your static network information from your network administrator or ISP (Internet service provider).

User and System-Wide Network Configuration: Network Manager

Network Manager will automatically detect your network connections , both wired and wireless. It is the default method for managing your network connections. Network Manager uses the automatic device detection capabilities of udev to configure your connections. Should you instead have to configure your network connections manually, you would use the GNOME Settings Wi-Fi and Network tabs.

Network Manager is user specific. When a user logs in, it selects the network connection preferred by that user. For wireless connections, the user can choose from a list of current possible connections. For wired connections, a connection can be started automatically, when the system starts up. Initial settings will be supplied from the system-wide configuration.

Configurations can also be applied system-wide to all users. When editing or adding a network connection, the edit or add dialog displays an Available to All Users check box in the lower-left corner. Click this check box and then click the Apply button to make the connection configuration system-wide. A PolicyKit authentication dialog will first prompt you to enter your root password.

Network Manager can configure any network connection . This includes wired, wireless, and all manual connections. Network Interface Connection (NIC cards) hardware is detected using udev. udev is the userspace device manager that manages your devices, both fixed and removable. Information provided by Network Manager is available to other applications over D-Bus.

With multiple wireless access points for Internet connections, a system could have several different network connections to choose from, instead of a single-line connection such as DSL or cable. This is particularly true for notebook computers that access different wireless connections at different locations. Instead of manually configuring a new connection each time one is encountered, the Network Manager tool can automatically configure and select a connection to use.

By default, an Ethernet connection will be preferred, if available. For wireless connections, you will have to choose the one you want.

Network Manager is designed to work in the background, providing status information for your connection and switching from one configured connection to another, as needed. For initial configuration, it detects as much information as possible about the new connection.

Network Manager operates as a daemon with the name NetworkManager. If no Ethernet connection is available, Network Manager will scan for wireless connections, checking for Extended Service Set Identifiers (ESSIDs). If an ESSID identifies a previously used connection, then it is automatically selected. If several are found, then the most recently used one is chosen. If only a new connection is available, the Network Manager waits for the user to choose one. A connection is selected only if the user is logged in. If an Ethernet connection is later made, the Network Manager will switch to it from wireless.

The NetworkManager daemon can be turned on or off, using the systemctl command as the administrative user.

sudo systemctl start

sudo systemctl stop

Network Manager Manual Configuration Using GNOME Network

The GNOME Network configuration is available on GNOME Settings and you can use it to configure all your network connections manually. Automatic wireless and wired connections were covered in Chapter 3. On the GNOME Settings dialog there is a Wi-Fi tab for wireless configuration and a Network tab for wired, VPN, and proxy configurations (see Figure 14-1). On the Wi-Fi tab, an Airplane Mode switch and a list of visible wireless connections are listed to the right. The currently active connection will have a checkmark next to its name. On the top-right bar is a switch for turning wireless on and off. A menu to the right of the switch list entries for connections to hidden networks, turning on your computer's WiFi hotspot capability, and listing previously accessed WiFi networks.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig1_HTML.jpg — Figure 14-1
WiFi (GNOME settings)

Selecting an entry in the Visible Networks list will create a gear button for it, which you can click to open the network configuration dialog with tabs for Details, Security, Identity, IPv4, IPv6, and Reset. The Details tab shows strength, speed, security methods, IP and hardware addresses, routes, and the DNS server IP address . To edit the connection manually, you use the Security, Identity, and IP tabs. The Security tab displays a menu from which you can choose a security method and a password (see Figure 14-2).

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig2_HTML.jpg — Figure 14-2
WiFi (GNOME settings): Security tab

On the Identity tab, you can specify the SSID name (see Figure 14-3).

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig3_HTML.jpg — Figure 14-3
WiFi (GNOME settings): Identity tab

On the IPv4 Settings tab, a switch allows you to turn the IP connection on or off. There are sections for addresses, the DNS servers, and routes. An Addresses menu lets you choose the type of connection you want. By default, it is set to Automatic. If you change it to Manual, new entries appear for the address, netmask, and gateway (see Figure 14-4). On the IPv6 tab, the netmask is replaced by prefix. You can turn off Automatic switches for the DNS and Routes sections to make them manual. The DNS section has a plus button to let you add more DNS servers.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig4_HTML.jpg — Figure 14-4
WiFi (GNOME settings): IPv4 tab, manual

For a wired connection, click the Network tab on GNOME Settings to display lists for Wired, VPN, and Network Proxy. The Wired list shows your current wired connections with on and off switches for each. A plus button at the top right of the Wired list lets you add more wired connections. Next to a connection's switch a gear button is displayed (see Figure 14-5). Clicking the gear button opens a configuration dialog with tabs for Details, Identity, IPv4, IPv6, and Security (see Figure 14-6). On the Details tab, you can choose to connect automatically and whether to make the connection system-wide.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig5_HTML.jpg — Figure 14-5
Network (GNOME settings)

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig6_HTML.jpg — Figure 14-6
Network (GNOME settings)

You can use the Security, Identity, and IP tabs to manually configure the connection. The Security tab lets you turn on 802.1x security and choose an authentication method, as well as provide a username and password (see Figure 14-7).

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig7_HTML.jpg — Figure 14-7
Network (GNOME settings): Security tab

On the Identity tab, you can set the name, choose the hardware address , set the MTU blocks (see Figure 14-8).

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig8_HTML.jpg — Figure 14-8
Network (GNOME settings): Identity tab

On the IP tab, a switch allows you to turn the connection on or off. The tab has sections for addresses, DNS servers, and routes. DNS and Routes have a switch for automatic. Turning the switch off allows you to manually enter a DNS server address or routing information. From the Method set of options at the top, you can also choose to make the connection automatic, manual, link-local, or to disable it. When the connection is set to manual, new entries appear that let you enter the address, netmask, and gateway (see Figure 14-9). On the IPv6 tab, the netmask entry is replaced with a prefix entry.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig9_HTML.jpg — Figure 14-9
Network (GNOME settings): IPv4 tab

For VPN connections, click the plus button at the top right of the VPN list to open an Add VPN dialog. The dialog lists supported VPN connection types, such as Point-to-Point or OpenVPN (see Figure 14-10). The Bond, Bridge, and VLAN entries open the Network Connections dialogs for those connections.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig10_HTML.jpg — Figure 14-10
Network (GNOME settings): new connections and VPN connections

You can then configure the VPN connections from the Add VPN dialog, which shows three tabs: Identity, IPv4, and IPv6 (see Figure 14-11). The IP tabs are the same as for wireless and wired configuration dialogs. On the Identity tab, you can enter the name, gateway, and authentication information. Click the Advanced button for detailed connection configuration.

Several VPN services are available. The PPTP service for Microsoft VPN connections is installed by default. Other popular VPN services include OpenVPN, Cisco Concentrator, and Openswan (IPSec). Network Manager support is installed using the corresponding Network Manager plugin for these services. The plugin packages begin with the name network-manager. To use the openvpn service, first install the openvpn software along with the network-manager-openvpn plugin. For Cisco Concentrator-based VPN, use the network-manager-vpnc plugin. Openswan uses the network-manager-openswan plugin.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig11_HTML.jpg — Figure 14-11
Network (GNOME settings): OpenVPN connection

Managing Network Connections with nmcli

The nmcli command is NetworkManager command-line interface command. Most network configuration tasks can be performed by nmcli . The nmcli command manages NetworkManager through a set of objects: general (g), networking (n), radio (r), connection (c), device (d), and agent (a). Each can be referenced using the full name or a unique prefix, such as con for connection or dev for device. The unique prefix can be as short as a single character, such as g for general, c for connections, or d for device. See Table 14-2 for a list of the objects and commonly used options. The nmcli man page provides a complete listing with examples.

The general object shows the current status of NetworkManager and what kind of devices are enabled. You can limit the information displayed using the -t (terse) and -f (field) options. The STATE field shows the connection status, and the CONNECTIVITY field shows the connection.

$ nmcli general

STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN

connected full enabled enabled enabled enabled

$ nmcli -t -f STATE general

connected

The connection object references the network connection and the show option displays that information. The following example displays your current connection .

nmcli connection show

You can use c instead of connection and s instead of show.

$ nmcli c s

NAME UUID TYPE DEVICE

enp7s0 f7202f6d-fc66-4b81-8962-69b71202efc0 802-3-ethernet enp7s0

AT&T LTE 1 65913b39-789a-488c-9559-28ea6341d9e1 gsm --

As with the general object, you can limit the fields displayed using the -f option. Table 14-2 only lists the name and type fields.

Table 14-2

The nmcli Objects

Object	Description
general	NetworkManager status and enabled devices. Use the terse (-t) and field (-f) options to limit the information displayed.
networking	Manage networking, use on and off to turn networking on or off, and connectivity for the connection state.
radio	Turns on or off the wireless networking (on or off). Can turn on or off specific kinds of wireless: wifi, wwan (mobile broadband), and wimax. The all option turns on or off all wireless.
connection	Manage network connections. show List connection profiles. With --active showing only active connections. up Activate a connection. down Deactivate a connection. add Add a new connection, specifying type, ifname, con-name (profile). modify Edit an existing connection; use + and - to add new values to properties. edit Add a new connection or edit an existing one using the interactive editor. delete Delete a configured connection (profile). reload Reload all connection profiles. load Reload or load a specific profile.
device	Manage network interfaces (devices). status Display device status. show Display device information. connect Connect the device . disconnect Disconnect the device. delete Delete a software device, such as a bridge. wifi Display a list of available WiFi access points. wifi rescan Rescan for and display access points. wifi connect Connect to a WiFi network; specify password, wep-key-type, ifname, bssid, and name (profile name). wimax List available WiMAX networks.
agent	Run as a Network Manager secret agent or polkit agent. secret As a secret agent, nmcli listens for secret requests. polkit As a polkit agent, it listens for all authorization requests.

$ nmcli -f name, type c s

NAME TYPE

enp7s0 802-3-ethernet

AT&T LTE 1 gsm

Adding the --active option will only show active connections.

nmcli c s --active

To start and stop a connection (like ifconfig does), use the up and down options.

nmcli con up enp7s0.

Use the device object to manage your network devices. The show and status options provide information about your devices. To check the status of all your network devices, use the device object and status options :

nmcli device status

DEVICE TYPE STATE CONNECTION

enp7s0 ethernet connected enp7s0

wlp6s0 wifi disconnected --

lo loopback unmanaged --

You can abbreviate device and status to d and s.

nmcli d s

You also use the device object to connect and disconnect devices. Use the connect or disconnect options with the interface name (ifname) of the device, in this example, enp7s0. With the delete option, you can remove a device.

nmcli device disconnect enp7s0

nmcli device connect enp7s0

To turn networking on or off, you use the networking object and the on and off options. Use the connectivity option to check network connectivity. The networking object alone tells you if it is enabled or not.

$ nmcli networking

enabled

$ nmcli networking on

$ nmcli networking connectivity

full

Should you want to just turn on or off the WiFi connection, you would use the radio object. Use wifi, wwan, and wimax for a specific type of WiFi connection and the all option for all of them. The radio object alone shows WiFi status of all your WiFi connection types.

$ nmcli radio

WIFI-HW WIFI WWAN-HW WWAN

enabled enabled enabled enabled

$ nmcli radio wifi on

$ nmcli radio all off

nmcli Wired Connections

You can use nmcli to add connections, just as you can with the desktop NetworkManager tool . To add a new static connection use the connection object with the add option. Specify the connection's profile name with the con-name option, the interface name with the ifname option, and the type, such as Ethernet. For a static connection, you would add the IP address (ipv4 or ipv6), and the gateway address (gw4 or gw6). For a DHCP connection simply do not list the IP address and gateway options. The profile name can be any name. You could have several profile names for the same network device. For example, for your wireless device, you could have several wireless connection profiles, depending on the different networks you want to connect to. Should you connect your Ethernet device to a different network, you would simply use a different connection profile that you have already set up, instead of manually reconfiguring the connection. If you do not specify a connection name, one is generated and assigned for you. The connection name can be the same as the device name as shown here, but keep in mind that the connection name refers to the profile and the device name refers to the actual device.

$ nmcli c s

NAME UUID TYPE DEVICE

enp7s0 f7202f6d-fc66-4b81-8962-69b71202efc0 802-3-ethernet enp7s0

For a DHCP connection, specify the profile name, connection type, and ifname. The following example creates an Ethernet connection with the profile name my-wired.

nmcli con add con-name my-wired type ethernet ifname enp7s0

For a static connection, add the IP (ip4 or ip6) and gateway (gw4 or gw6) options with their addresses.

nmcli con add con-name my-wired-static ifname enp7s0 type ethernet ip4 192.168.1.0/24 gw4 192.168.1.1

In most cases, the type is Ethernet (wired) or WiFi (wireless). Check the nmcli man page for a list of other types, such as gsm, InfiniBand, VPN, VLAN, WiMAX, and Bridge.

You can also add a connection using the interactive editor. Use the edit instead of the add option, and specify the con-name (profile) and connection type .

nmcli con edit type ethernet con-name my-wired

To modify an existing connection, use the modify option. For an IP connection, the property that is changed is referenced as part of the IP settings, in this example, ip4. The IP properties include addresses, gateway, and method (ip4.addresses, ip4.gateway, and ip4.method).

nmcli con mod my-wired ip4.gateway 192.168.1.2

To add or remove a value for a property, use the + and - signs as a prefix. To add a DNS server address, you would use +ip4.dns. To remove one, use -ip4.dns.

nmcli con mod my-wired +ip4.dns 192.168.1.5

You can also modify a connection using the interactive editor. Use the edit instead of the modify option with the connection name.

nmcli con edit enp7s0

You are then placed in the interactive editor with an nmcli> prompt and the settings you can change are listed. The help command lists available commands. Use the describe command to show property descriptions.

Use print to show the current value of a property and set to change its value. To see all the properties for a setting, use the print command and the setting name. Once you have made changes, use the save command to effect the changes.

print ipv4

print ipv4.dns

print connection

set ipv4.address 192.168.0.1

The connection edit command can also reference a profile using the id option. The Name field in the connection profile information is the same as the ID. Also, each profile is given a unique system UUID, which can also be used to reference the profile.

Once you are finished editing the connection , enter the quit command to leave the editor.

nmcli Wireless Connections

To see a list of all the available WiFi connections in your area, you use the wifi option with the device object. You can further qualify it by interface (if you have more than one) by adding the ifname option, and by BSSID adding the bssid option.

nmcli device wifi

To connect to a new WiFi network, use the wifi connect option and the SSID. You can further specify a password, wep-key-type, key, ifname, bssid, name (profile name), and if it is private. If you do not provide a name (profile name), nmcli will generate one for you.

nmcli dev wifi connect surfturtle password mypass wep-key-type wpa ifname wlp6s0 name my-wireless1

To reconnect to a WiFi network for which you have previously set up a connection, use the connection object with the up command and the id option to specify the profile name.

nmcli connection up id my-wireless1

You can also add a new wireless connection using the connection object and the wifi type with the ssid option.

nmcli con add con-name my-wireless2 ifname wlp6s0 type wifi ssid ssidname

Then, to set the encryption type, use the modify command to set the sec.key-mgmt property. For the passphrase, set the wifi-sec.psk property.

nmcli con mod my-wirless2 wifi-sec.key-mgmt wpa-psk

nmcli con modify my-wireless2 wifi-sec.psk mypassword

Network Manager Manual Configuration Using Network Connections

You can also use the older Network Connections utility (nm-connection-editor) to edit any network connection. You may have to run it from a terminal window. It is not installed by default. Established connections are listed, with at toolbar at the bottom for adding, removing, and editing network connections (see Figure 14-12). Your current network connections should already be listed.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig12_HTML.jpg — Figure 14-12
Network configuration (nm-connection-editor)

When you add a connection, you can choose its type from a drop-down menu. The menu organizes connection types into three categories: Hardware, Virtual, and VPN. Hardware connections cover both wired (Ethernet, DSL, and InfiniBand) and wireless (WiFi, WiMAX, and Mobile Broadband) connections. VPN lists the supported VPN types, such as OpenVPN, PPTP, and Cisco. You can also import a previously configured connection. Virtual supports VLAN and Bond virtual connections.

Configuration editing dialogs display a General tab from which you can make your configuration available to all users and automatically connect when the network connection is available. You can also choose to use a VPN connection and specify a firewall zone.

Editing an Ethernet connection opens an Editing window. The Create button on the Choose a Connection Type dialog is used to add a new connection and opens a similar window, with no settings. The Ethernet tab lists the MAC hardware address and the MTU. The MTU is usually set to automatic. The standard default configuration for a wired Ethernet connection uses DHCP. Connect automatically will set up the connection when the system starts up. There are seven tabs—General, Ethernet, 8.02.1x Security, DCB, Proxy, IPv4 Settings, and IPv6 Settings. The IPv4 Settings tab lets you select the kind of wired connection you have. The manual configuration entries for an IPv4 connection are shown in Figure 14-13. Click the Add button to enter the IP address , network mask, and gateway address. Then enter the address for the DNS servers and your network search domains. The Routes button will open a window in which you can manually enter any network routes.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig13_HTML.jpg — Figure 14-13
IPv4 wired configuration (nm-connection-editor)

For a wireless connection, you enter wireless configuration data, such as your ESSID, password, and encryption method. For wireless connections , you choose WiFi or WiMAX as the connection type. The Editing Wi-Fi connection window opens with tabs for general configuration, your wireless information, security, proxy, and IP settings (see Figure 14-14). On the Wi-Fi tab, you specify your SSID, along with your mode and MAC address.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig14_HTML.jpg — Figure 14-14
Wireless configuration (nm-connection-editor)

On the Wi-Fi Security tab, you enter your wireless connection security method. The commonly used method, WEP, is supported, along with WPA personal. The WPA personal method only requires a password. More secure connections, such as Dynamic WEP and Enterprise WPA, are also supported. These will require much more configuration information, such as authentication methods, certificates, and keys.

For a new broadband connection, choose the Mobile Broadband entry in the connection type menu. A 3G wizard starts up to help you set up the appropriate configuration for your particular 3G service. Configuration steps are listed on the left pane. If your device is connected, you can select it from the drop-down menu on the right pane.

Once a service is selected, you can further edit the configuration by clicking its entry in the Mobile Broadband tab and clicking the Edit button. The Editing window opens with tabs for Mobile Broadband, PPP, IPv4, and IPv6 settings. On the Mobile Broadband tab, you can enter your number, username, and password. Advanced options include the APN, Network, and PIN. The APN should already be entered.

On the Network Manager panel applet menu , the VPN Connection entry submenu will list configured VPN connections for easy access. The Configure VPN entry will open the Network Connections window to the VPN section, from which you can then add, edit, or delete VPN connections. The Disconnect VPN entry will end the current active VPN connection. To add a VPN connection, choose a VPN connection type from the connection type menu.

The Editing VPN Connection dialog opens with two tabs: VPN and IPv4 Settings. On the VPN tab, you enter VPN connection information, such as the gateway address and any additional VPN information that may be required. For an OpenVPN connection, you will have to provide the authentication type, certificates, and keys . Clicking the Advanced button opens the Advanced Options dialog. An OpenVPN connection will have tabs for General, Security, and TLS Authentication. On the Security tab, you can specify the cipher to use.

Networks are configured and managed with the lower-level tools: ifconfig, route, and netstat. The ifconfig tool operates from your root user desktop and enables you to configure your network interfaces fully, adding new ones and modifying others. The ifconfig and route utilities are lower-level programs that require more specific knowledge of your network to use effectively. The netstat tool provides you with information about the status of your network connections.

Command-Line PPP Access: wvdial

From the command-line interface , you can use the wvdial dialer to set up PPP connections for dial-up modems. The wvdial program loads its configuration from the /etc/wvdial.conf file. You can edit this file and enter modem and account information, including modem speed and serial device, as well as ISP phone number, username, and password. The wvdial.conf file is organized into sections, beginning with a section label enclosed in brackets. A section holds variables for different parameters that are assigned values, such as username = chris. The default section holds default values inherited by other sections, so you needn’t repeat them.

With the wvdialconf utility, you can create a default wvdial.conf file automatically; wvdialconf detects your modem and sets the default values for basic features. You can then edit the wvdial.conf file and modify the phone, username, and password entries with your ISP dial-up information. Remove the preceding semicolon (;) to unquote the entry. Any line beginning with a semicolon is ignored as a comment.

$ wvdialconf

The following example shows the /etc/wvdial.conf file:

/etc/wvdial.conf

[Modem0]

Modem = /dev/ttyS0

Baud = 57600

Init1 = ATZ

SetVolume = 0

Dial Command = ATDT

[Dialer Defaults]

Modem = /dev/ttyS0

Baud = 57600

Init1 = ATZ

SetVolume = 0

Dial Command = ATDT

To start wvdial, enter the command wvdial, which then reads the connection configuration information from the /etc/wvdial.conf file; wvdial dials the ISP and initiates the PPP connection, providing your username and password, when requested.

$ wvdial

You can set up connection configurations for any number of connections in the /etc/wvdial.conf file. To select one, enter its label as an argument to the wvdial command, as shown here:

$ wvdial myisp

Setting Up Your Firewall: firewall-config

You can run your firewall on a standalone system directly connected to the Internet or on a gateway system that connects a local network to the Internet. Most networks now use dedicated routers for Internet access, which have their own firewalls. If, instead, you decide to use a Linux system as a gateway, it will have at least two network connections, one for the local network and an Internet connection device for the Internet.

FirewallD

Fedora27 uses the FirewallD firewall daemon, instead of the older static system-config-firewall. To configure FirewallD, you can use the firewalld-config graphical interface. You can also use firewalld-cmd command from the command line. To set up your firewall, run firewall-config (Sundry ➤ Firewall; see Figure 14-15). The firewall is configured using zones displayed on the Zones tab. To configure a particular service, use the Services tab.

With firewall-config you can configure either a Runtime configuration or Permanent configuration. Select one from the Configuration drop-down menu. The Runtime configuration shows your current runtime setup, whereas a Permanent configuration does not take effect until you reload or restart. If you want to edit your zones and services, you need to choose the Permanent configuration. This view displays a zone toolbar for editing the zone, at the bottom of the zones scroll box, and edit, add, and remove buttons on the Services tab for managing service protocols, ports, and destination addresses.

Additional tabs can be displayed from the View menu for configuring ICMP types, whitelists, and for adding firewall rules directly (direct configuration).

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig15_HTML.jpg — Figure 14-15
firewall-config: runtime configuration

A firewall configuration is set up for a given zone, such as a home, work, internal, external, or public zone. Zones provide an added level of protection by the firewall. They divide the network protected by the Firewall into separate segments, which can only communicate as permitted by the firewall. In effect, zones separate one part of your network from another. Each zone has its own configuration . Zones are listed in the Zones scroll box on the left side of the firewall-config window (see Figure 14-16). Select the one you want to configure. The firewall-config window opens to the default, Public. You can choose the default zone from the System Default Zone dialog, which you open from the Options menu as Change Default Zone.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig16_HTML.jpg — Figure 14-16
firewall-config: permanent configuration

If you choose Permanent Configuration from the Configuration menu, a toolbar for zones is displayed below the Zones scroll box, as shown in Figure 14-16. The + button lets you add a zone; the – button removes a zone. The pencil/page button lets you edit a zone. The add and edit buttons open the Base Zone Settings dialog , in which you enter or edit the zone name, version, description, and the target. The default target is ACCEPT. Other options are REJECT and DROP. The Load Zone Defaults button (yellow arrow) loads default settings, removing any you have made.

Each zone, in turn, can have one or more network connections. From the Options menu, choose Change Zones of Connections to open the Network Connections dialog, from which you can add a network connection.

For a given zone, you can configure services, ports, masquerading, port forwarding, interfaces, rich rules, sources, and ICMP filter. The features many users want to change are the services . A Linux system is often used to run servers for a network. If you are creating a strong firewall but still want to run a service such as a web server, an FTP server, or SSH encrypted connections, you must specify it in the Services tab.

For a selected service, you can specify service settings such as the ports and protocols it uses, any modules, and specific network addresses. Default settings, such as port 139 for Samba, are already set up using the TCP protocol. To modify the settings for services, click the Services tab on the Firewall Configuration window to list your services. Choose the service you want to edit from the Service scroll box to the left. For a given service, you can then use the Ports, Protocols, Source Port, Modules, and Destination tabs to specify ports, protocols, modules, and addresses. On the Ports table, click the Add button to open the Port and Protocol dialog, from which you can add a port or port range, and choose a protocol from the Protocol menu (see Figure 14-17). For protocols needed by all hosts and networks, use the Protocols tab. On the Destination tab, you can enter an IPv4 or IPv6 destination address for the service.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig17_HTML.jpg — Figure 14-17
Firewall Configuration dialog: Services tab

The Ports tab lets you specify ports that you may want opened for certain services, such as BitTorrent. Click the Add button to open a dialog in which you can select the port number, along with the protocol to control (TCP or UDP), or enter a specific port number or range.

If your system is being used as gateway to the Internet for your local network, you can implement masquerading to hide your local hosts from outside access from the Internet. This also requires IP forwarding, which is automatically enabled when you choose masquerading. Local hosts will still be able to access the Internet, but they will masquerade as your gateway system. You would select for masquerading the interface that is connected to the Internet. Masquerading is available only for IPv4 networks, not IPv6 networks.

The Port Forwarding tab lets you set up port forwarding, channeling transmissions from one port to another, or to a different port on another system. Click the Add button to add a port, specifying its protocol and destination.

The ICMP Filters tab allows you to block ICMP messages. By default, all ICMP messages are allowed. Blocking ICMP messages makes for a more secure system. Certain types of ICMP messages are often blocked, as they can be used to infiltrate or overload a system, such as the ping and pong ICMP messages.

If you have specific firewall rules to add, use the Direct Configuration tab (displayed from the View ➤ Direct Configuration menu ).

IPtables Firewall

If you wish, you can still use IPtables instead of FirewallD to manage firewalls. Older customized firewall configurations may still want to use the older IPtables static firewall. IPtables systemd unit files manage static IPtables rules, much like System V scripts did in previous releases. The iptables command keeps firewall rules in /etc/sysconfig/iptables, which is checked for (ConditionPathExists). The iptables operation runs an iptables.init script to start and stop the firewall. The script reads runtime configuration from /etc/sysconfig/iptables-config.

You can still use the older system-config-firewall desktop tool to configure IPtables static firewalls. Download and install the system-config-firewall package. You can start it from the Sundry ➤ Firewall. Keep in mind that it conflicts with FirewallD. You will have to stop and disable firewallD before you can use system-config-firewall.

sudo systemctl stop firewalld

sudo systemctl disable firewalld

To set up your firewall, run system-config-firewall (Sundry ➤ Firewall). It should be the second firewall icon. The top button bar has buttons for a Firewall Wizard, Apply Button to Effect Any Changes, Reload to Restore Your Saved Firewall, and Disable and Enable buttons (see Figure 14-18). You can enable or disable your firewall with the Enable and Disable buttons. If the Firewall is active, only the Disable button can be used, and vice versa.

../images/326960_3_En_14_Chapter/326960_3_En_14_Fig18_HTML.jpg — Figure 14-18
system-config-firewall (IPtables )

Setting Up Windows Network Access: Samba

Most local and home networks include some systems working on Microsoft Windows and others on Linux. You may be required to let a Windows computer access a Linux system or vice versa. If you want to allow other Windows users to access folders on your Fedora desktop, you will have to install and configure the Samba server.

Note

See the section in Chapter 3 called “Shared Network Access for Windows Samba: (Samba)” to learn how you can access shared folders from GNOME and from Windows. With the transition from SMB1 to SMB3 (Server Message Block), the file manager desktop browsing no longer works. You have to set up access to shared folders directly.

Be sure that Samba is installed and enabled. Open Packages and click the Server entry or search for samba. Install the samba and samba-client packages. Selecting samba for installation will automatically select any needed dependent packages.

Be sure that the firewall on your Windows system is not blocking Samba. Run firewall-config (Sundry ➤ Firewall). Make sure that the Samba service and Samba client entries are checked, allowing Samba to operate on your system (see Figure 14-16). Click Apply to make the changes. To enable access immediately, restart your firewall .

The Samba server consists of two daemons: smb and nmb. You may first have to enable and then start these daemons, using the systemctl and service commands as the root user. Open a terminal window (Terminal), access the root user with the su command, and then enter a systemctl command for the smb and nmb servers with the enable command to enable the server. Finally, use the systemctl command with the start option to start it. Once enabled, the server should start automatically whenever your system starts up. Samba is managed by systemd.

sudo systemctl enable nmb

sudo systemctl enable smb

sudo systemctl start nmb

sudo systemctl start smb

Also, make sure that Samba access is permitted by SELinux (system-config-selinux). Use the SELinux Management tool and on the Boolean tab and enable Samba access (see Figure 14-16). There are several Samba entries. To share folders, Windows folders, and NFS folders, you would check the following:

Allow samba to share any file/directory read/write

Allow samba to export ntfs/fusefs volumes

Allow samba to export NFS volumes

Should you receive a security alert, you can change the Samba SELinux file context manually, using the chcon and semanage commands. The commands to enter will be listed in the Fix Command section of the security alert’s Show Full Error Output scroll window. The Samba share directory’s SELinux file context is set to samba_share_t. The semanage command preserves the change through relabeling. In the following example, the SELinux file context for the /mymedia share is set :

sudo chcon -R -t samba_share_t '/mymedia'

sudo semanage fcontext -a -t samba_share_t '/mymedia'

Network Analysis Tools

Several applications are available on Linux to let you monitor your network activity. Graphical applications like Wireshark provide detailed displays and logs to let you analyze and detect network usage patterns. Other tools like ping, netstat, nmap, and traceroute offer specific services (see Table 14-3). Tools like ping, traceroute, nmap, and netstat can be run individually on a command line (Terminal window).

Table 14-3

Network Tools

Network Information Tool	Description
ping	Detects whether a system is connected to the network.
finger	Obtains information about users on the network.
who	Checks which users are currently online.
whois	Obtains domain information.
host	Obtains network address information about a remote host.
traceroute	Tracks the sequence of computer networks and hosts your message passes through.
wireshark	Protocol analyzer to examine network traffic.
netstat	Real-time network status monitor.
tcpdump	Captures and saves network packets.
nmap	Network Mapper, network discovery and security.

Predictable and Unpredictable Network Device Names

Network devices now use a predictable naming method that differs from the older naming method . Names are generated based on the specific device referencing the network device type, its hardware connection and slot, and even its function. The traditional network device names used the eth prefix with the number of the device for an Ethernet network device . The name eth0 referred to the first Ethernet connection on your computer. This naming method was considered unpredictable as it did not accurately reference the actual Ethernet device. The old system relied on probing the network driver at boot, and if your system had several Ethernet connections, the names could end up being switched, depending on how the startup proceeded. With the current version of systemd udev, the naming uses a predictable method that specifies a particular device. The predictable method references the actual hardware connection on your system.

The name used to reference predictable network device names has a prefix for the type of device followed by several qualifiers, such as the type of hardware, the slot used, and the function number. Instead of the older unpredictable name like eth0, the first Ethernet device is referenced by a name like enp7s0. The interface name enp7s0 references an Ethernet (en) connection, at PCI slot 7 (p7), with the hotplug slot index number 0 (s0). wlp6s0 is a wireless (wl) connection, at PCI slot 6 (p6), with the hotplug slot index number 0 (s0). virvb0 is a virtual (vir) bridge (vb) network interface. Table 14-4 lists predictable naming prefixes.

Unlike the older unpredictable name, the predictable name will most likely be different for each computer. Predictable network names, along with alternatives, are discussed at:

https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

The naming is carried out by the kernel and is described in the comment section of the kernel source's systemd/src/udev/udev-bultin-net_id.c file.

Table 14-4

Network Interface Device Naming

Name	Description
en	Ethernet
sl	Serial line IP (slip)
wl	wlan, wireless local area network
ww	wwan, wireless wide area network (mobile broadband)
p	PCI geographical location (pci-e slot)
s	Hotplug slot index number
o	Onboard cards
f	Function (used for cards with more than one port)
u	USB port
i	USB port interface

The directory /sys/devices lists all your devices in subdirectories, including your network devices. The path to the devices progresses through subdirectories named for the busses connecting the device. To quickly find the full path name, you can use the /sys/class directory instead. For network devices, use /sys/class/net. Then use the ls -l command to list the network devices with their links to the full pathname in the /sys/devices directory (the ../.. path references a cd change of up two directories [class/net] to the /sys directory).

$ cd /sys/class/net

$ ls

enp7s0 lo wlp6s0

$ ls -l

total 0

lrwxrwxrwx 1 root root 0 Feb 19 12:27 enp7s0 -> ../../devices/pci0000:00/0000:00:1c.3/0000:07:00.0/net/enp7s0

lrwxrwxrwx 1 root root 0 Feb 19 12:27 lo -> ../../devices/virtual/net/lo

lrwxrwxrwx 1 root root 0 Feb 19 12:28 wlp6s0 -> ../../devices/pci0000:00/0000:00:1c.2/0000:06:00.0/net/wlp6s0

So the full path name in the /sys/devices directory for enp7s0 is:

/sys/devices/pci0000:00/0000:00:1c.3/0000:07:00.0/net/enp7s0

You can find the PCI bus slot used with the lspci command. This command lists all your PCI connected devices. In this example, the PCI bus slot used is 7, which is why the PCI part of the name enp7s0 is p7. The s part refers to a hotplug slot, which in this example is s0.

$ lspci

06:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

07:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller (rev 07)

Devices have certain properties defined by udev, which manages all devices. Some operations, such as systemd link files, make use these properties. The ID_PATH, ID_NET_NAME_MAC, and INTERFACE properties can be used to identify a device to udev. To display these properties, you use the udevadm command to query the udev database. With the info and -e options, properties of all active devices are displayed. You can pipe (|) this output to a grep command to display only those properties for a given device. In the following example, the properties for the enp7s0 device are listed. Preceding the properties for a given device is a line, beginning (^) with a P and ending with the device name. The .* matching characters match all other intervening characters on that line, ^P.*enp7s0. The -A option displays the specified number of additional lines after that match, -A 22.

$ udevadm info -e | grep -A 22 ^P.*enp7s0

P: /devices/pci0000:00/0000:00:1c.3/0000:07:00.0/net/enp7s0

E: DEVPATH=/devices/pci0000:00/0000:00:1c.3/0000:07:00.0/net/enp7s0

E: ID_BUS=pci

E: ID_MM_CANDIDATE=1

E: ID_MODEL_FROM_DATABASE=RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller

E: ID_MODEL_ID=0x8136

E: ID_NET_DRIVER=r8169

E: ID_NET_LINK_FILE=/lib/systemd/network/99-default.link

E: ID_NET_NAME_MAC=enx74e6e20ec729

E: ID_NET_NAME_PATH=enp7s0

E: ID_OUI_FROM_DATABASE=Dell Inc.

E: ID_PATH=pci-0000:07:00.0

E: ID_PATH_TAG=pci-0000_07_00_0

E: ID_PCI_CLASS_FROM_DATABASE=Network controller

E: ID_PCI_SUBCLASS_FROM_DATABASE=Ethernet controller

E: ID_VENDOR_FROM_DATABASE=Realtek Semiconductor Co., Ltd.

E: ID_VENDOR_ID=0x10ec

E: IFINDEX=2

E: INTERFACE=enp7s0

E: SUBSYSTEM=net

E: SYSTEMD_ALIAS=/sys/subsystem/net/devices/enp7s0

E: TAGS=:systemd:

E: USEC_INITIALIZED=1080179

For certain tasks, such as renaming, you many need to know the MAC address. You can find this with the ip link command , which you can abbreviate to ip l. The MAC address is before the brd string. In this example, the MAC address for enp7s0 is 74:e6:e2:0e:c7:29. The ip link command also provides the MTU (Maximum Transmission Unit) and the current state of the connection.

$ ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 74:e6:e2:0e:c7:29 brd ff:ff:ff:ff:ff:ff

3: wlp6s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 4c:bb:58:22:40:1d brd ff:ff:ff:ff:ff:ff

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 14. Network Configuration

Create new playlist

Sign In

Sign Up