SuSEfirewall2 and FW_CUSTOMRULES

This was in "Re: Firewall and IP Tables", but I'm starting a new thread,
since this isn't really about the original topic any more.


On Thu, 07 May 2009 19:56:01 +0000, framp wrote:

> 'That's what I found' (http://en.opensuse.org/SuSEfirewall2).

Found and read that. Doesn't cover FW_CUSTOMRULES at all. Also doesn't
cover how and why SuSEfirewall2 hooks in with the $network so that it
destroys and rebulds the whole of iptables each time a network interface
goes from down to up (this can be interesting on a laptop with wired and
wireless connections).

I'm specifically interested in the custom rules support, since I want to
nicely and correctly add some customized stuff to the SuSEfirewall2.
(Yes, for the detractors, I know, I could just scrap the whole of Sfw2
and replace it with your favourite iptables script, or develop one of my
own; that's not the point here.)


> If you need help - just post your questions/problems. A lot of people
> have experiences with SuSEfirewall2 and might be able to help you.

Is this an intentional setup, misfeature, or bug:

If you uncomment the FW_CUSTOMRULES line in
/etc/sysconfig/SuSEfirewall2 you'd expect it to do something useful.
After all, it says:


## Type: string
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-
custom
#
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
#FW_CUSTOMRULES=""


and if you go look at the SuSEfirewall2-custom script, it looks like it's
intended for customized extensions to the Sfw2 iptables stuff. So I tried
that and nothing happens.

So I went hunting around and found the /sbin/SuSEfirewall2 script uses
FW_CUSTOMRULES:


load_customrules()
{
### Load custom rules
if [ -n "$FW_CUSTOMRULES" ]; then
if [ ! -r "$FW_CUSTOMRULES" ]; then
die 1 "Firewall custom rules file can not be read from
$FW_CUSTOMRULES"
fi
. "$FW_CUSTOMRULES"
message "Firewall custom rules loaded from $FW_CUSTOMRULES"
else
message "No custom rules specified."
fi
}


and has stubs for the functions defined in the Sfw2-custom script, so
that the whole thing works without errors, whether or not custom rules
are being used. Ok, pretty slick so far, so why doesn't it work? I can
put stuff in the Sfw2-custom script, but it never gets called.

More hunting eventually found this gem at the top of /sbin/SuSEfirewall2:

FW_CUSTOMRULES=""


Yep. Despite the change to the /etc/sysconfig/SuSEfirewall2 script, where
it looks like this variable should be set, they're blowing it away here
in /sbin/SuSEfirewall2 so that the entire Sfw2-custom script will never
be called.

Even more entertainingly, if you change FW_CUSTOMRULES here in the /sbin
script, but _don't_ change it in the /etc/sysconfig one, then the order
that these scripts get called in actually results in the same symptoms,
because /sbin/SuSEfirewall2 calls /etc/sysconfig/SuSEfirewall2.

It's almost like they are intentionally making it really hard to activate
the FW_CUSTOMRULES script support.

After commenting this line out, the Sfw2-custom script gets called.

And on a minor note, there are several places where the word "custom" has
been replaced by "customary", like in the comments above. Somebody ought
to get those fixed.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.





--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

[FeatherMonkey]

Another wiki page to add to my list of grumbles...

Well long time ago I used a custom hook and custom rules, don't really do howto more tips and tweaks here is the old thread. Hopefully you can get the info you need from that. I added several rules and a custom hook, still very vague on the hook bit though.

How To Add Additional Ip Rules To Suse Firewall - openSUSE Forums

Perhaps someone with better wiki skills than I can put into that page...