Suse 9: Firewalling

Suse 9's firewall management is in the hands of the SuSEfirewall2 package and (obviously) based on iptables. The package provides a main script /sbin/SuSEfirewall2 and various initialization and configuration scripts that  present a user friendly logic that hides the raw syntax of the iptables command.
The configuration can be done with YaST2 graphical interface or editing directly the main configuration file /etc/sysconfig/SuSEfirewall2.

The questions asked in YaST2 have their equivalent in the variables configured in this file, which define various (well commented) parameters function-oriented such as:
FW_QUICKMODE="no"
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
# FW_SERVICES_EXT_TCP="www"
# FW_SERVICES_DMZ_UDP="syslog"
FW_SERVICES_EXT_TCP="http ssh telnet"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
# FW_SERVICES_QUICK_TCP="ssh"
# FW_SERVICES_QUICK_UDP="isakmp"
# FW_SERVICES_QUICK_IP="50"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""
FW_REJECT="no"
# FW_HTB_TUNE_DEV="ppp0,125"
#   FW_HTB_TUNE_DEV="ppp0,250"
FW_HTB_TUNE_DEV=""

The init scripts are divided in three stages: /etc/init.d/SuSEfirewall2_init, /etc/init.d/SuSEfirewall2_setup and /etc/init.d/SuSEfirewall2_final  which are easily managed by the rcSuSEfirewall2 script.
Sample configurations and some docs can be found in /usr/share/doc/packages/ and, while it's still possible to use the iptables command in the interactive shell or in custom scripts, the easy and fast choice is surely to comform to the SuSEfirewall2 logic.
The SuSEfirewall2 command provides some nice options:
SuSEfirewall2 start|stop Applies or removes the iptables.
SuSEfirewall2 status Show the status of the iptables (provides the output of iptables -L -nv).
SuSEfirewall2 test Simulates the rules, logging all the packets that would be dropped.
SuSEfirewall2 debug Prints to stdout the iptables commands that could be applied, without actually executing them.

Privacy Policy