Results 1 to 6 of 6

Thread: Problem with the firewall

  1. #1

    Default Problem with the firewall

    I am using openSUSE 13.1 and the Yast Firewall.

    I am in the Firewall and click advanced but after I enter the port in TCP and hit OK nothing happens, it doesn't show up in the external list and at the same time I don't see a place to enter the name for that port. So I read the help that gives an example of 22, http, and I try that but it won't accept it saying that I can't use comas that I have to use spaces, so I try with a space but it say it doesn't recognize the name. This is crazy!!


    Your help would be appreciate it!

  2. #2

    Default Re: Problem with the firewall

    First, what is your end goal? If it is just to open SSH (TCP 22 by
    default) to the rest of your network is there a reason you are not using
    the service drop-down menu instead of the Advanced section? Just curious...

    You should be able to put in the list of ports, space-delimited, in the
    Advanced view within the TCP field. I do this a lot with my 12.x machines
    and various SLES machines, but haven't tried (that I can confirm) on 13.1
    yet so maybe there's a bug in the parsing with the port to Ruby.... maybe
    (seems unlikely to me based on how much this area is used). Anyway, the
    way to know if it worked or not is to use he 'iptables -nvL' or
    'iptables-save' command as 'root' (post the output here).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3

    Default Re: Problem with the firewall

    Quote Originally Posted by ab View Post
    First, what is your end goal? If it is just to open SSH (TCP 22 by
    default) to the rest of your network is there a reason you are not using
    the service drop-down menu instead of the Advanced section? Just curious...

    You should be able to put in the list of ports, space-delimited, in the
    Advanced view within the TCP field. I do this a lot with my 12.x machines
    and various SLES machines, but haven't tried (that I can confirm) on 13.1
    yet so maybe there's a bug in the parsing with the port to Ruby.... maybe
    (seems unlikely to me based on how much this area is used). Anyway, the
    way to know if it worked or not is to use he 'iptables -nvL' or
    'iptables-save' command as 'root' (post the output here).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
    I think I expected for the firewall to work like most firewalls do by providing you the ability to add new port entries into so they appear in the drop down list, instead of just adding the port under advanced. The problem I see with the way Yast does it is what happens if you have a million ports to open and a new tech replaces your ass he or she won't know why you opened those ports as they aren't listed in the drop down with names associated to them.

  4. #4

    Default Re: Problem with the firewall

    On 01/20/2014 05:56 AM, aenglish wrote:
    >
    > ab;2617768 Wrote:
    >> First, what is your end goal? If it is just to open SSH (TCP 22 by
    >> default) to the rest of your network is there a reason you are not using
    >> the service drop-down menu instead of the Advanced section? Just
    >> curious...
    >>
    >> You should be able to put in the list of ports, space-delimited, in the
    >> Advanced view within the TCP field. I do this a lot with my 12.x
    >> machines
    >> and various SLES machines, but haven't tried (that I can confirm) on
    >> 13.1
    >> yet so maybe there's a bug in the parsing with the port to Ruby....
    >> maybe
    >> (seems unlikely to me based on how much this area is used). Anyway, the
    >> way to know if it worked or not is to use he 'iptables -nvL' or
    >> 'iptables-save' command as 'root' (post the output here).
    >>
    >> --
    >> Good luck.
    >>
    >> If you find this post helpful and are logged into the web interface,
    >> show your appreciation and click on the star below...

    >
    > I think I expected for the firewall to work like most firewalls do by
    > providing you the ability to add new port entries into so they appear in
    > the drop down list, instead of just adding the port under advanced. The


    You're in luck; it does, but not from the place where you actually open
    those ports, afaik. The way to do this has come up in the forums before,
    recently even, and as I recall is done from
    /etc/sysconfig/SuSEfirewall2.d/services which then holds a conf file for
    the various things you want. This is not even limited to a one-to-one
    mapping, so you can create a service called whatever you want and have it
    work.

    To just put in arbitrary strings in the list of ports does not make any
    sense to me; if those happen to be strings that map to the /etc/services
    file then maybe those could work as long as they are one-to-one mappings
    and the Yast devs were thinking of this situation when creating the UI.

    > problem I see with the way Yast does it is what happens if you have a
    > million ports to open and a new tech replaces your ass he or she won't
    > know why you opened those ports as they aren't listed in the drop down
    > with names associated to them.


    See above. You can do this in a way that makes deployment quick/simple
    and documentation built-in.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  5. #5
    Join Date
    Apr 2013
    Location
    Modra, Slovakia
    Posts
    265

    Default Re: Problem with the firewall

    Me personally, I don't see point in yast firewall setup, rather use iptables like
    Code:
    iptables -A SSH -p tcp -s 0/0 -d  your.ssh.server/client.addr --dport 22 -j ACCEPT
    to allow cpnnection to ssh from any address -0/0 and I'd also limit those ssh connections
    Code:
    iptables -A SSH -p icmp -m limit --limit 3/min -s 0/0 -d ssh.server --dport -j ACCEPT
    Code:
    iptables -A SSH -j DROP
    -default policy for SSH
    13.2 KDE 64bit tumbleweed
    Lenovo G500s, Thinkpad R500

  6. #6
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    23,704
    Blog Entries
    1

    Default Re: Problem with the firewall

    Quote Originally Posted by roberto68 View Post
    Me personally, I don't see point in yast firewall setup, rather use iptables
    That's all well and good, but I would guess that many users would not be comfortable doing firewall configuration from the CLI, (and making them persistent).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •