Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: How to replace openSUSE firewall with a custom script of rules?

  1. #11
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,447
    Blog Entries
    2

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    I don't want to install other firewalls. I can write my own iptables lines. My script will work - it has worked for years on an older router and on a different distro, so the script itself is ok. It is similar to this one but not identical.

    I understand that the SuSEfirewall2 service needs to be disabled. I know how to do that in YaST. The only question is how to make my script run on boot, i.e. register it as a service with proper parameters.
    Recommend you copy the SUSE FW systemd Unit file as follows. Note that the original location is the standard location for system Unit files which you should <never> alter and the new location is where any custom User Unit files files reside. If a Unit file in the User location is the same name as the original default in /usr/lib/* then the custom Unit file will over-ride.
    Code:
    cp /usr/lib/systemd/system/SuSE* /etc/systemd/system/
    Now, I recommend you rename your copied files to whatever you wish to avoid confusion.

    The result is Unit files which are used to start and run SUSE FW but now can be pointed to your custom script or configuration files.

    TSU

  2. #12

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Thanks TSU. So basically as I thought. I will try to set up a systemd unit.

  3. #13

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Trying to combine /usr/lib/systemd/system/SuSEfirewall2.service and /usr/lib/systemd/system/SuSEfirewall2_init.service I wrote this:

    Code:
    [Unit]
    Description=My custom firewall
    Before=network.service
    Before=basic.service
    After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service
    
    [Service]
    ExecStart=/usr/local/sbin/my-firewall-start
    ExecStop=/usr/local/sbin/my-firewall-stop
    RemainAfterExit=true
    Type=oneshot
    
    [Install]
    WantedBy=multi-user.target
    Is it correct? (I am just not 100% sure about the Before and After options)

  4. #14
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,447
    Blog Entries
    2

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    Trying to combine /usr/lib/systemd/system/SuSEfirewall2.service and /usr/lib/systemd/system/SuSEfirewall2_init.service I wrote this:

    Code:
    [Unit]
    Description=My custom firewall
    Before=network.service
    Before=basic.service
    After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service
    
    [Service]
    ExecStart=/usr/local/sbin/my-firewall-start
    ExecStop=/usr/local/sbin/my-firewall-stop
    RemainAfterExit=true
    Type=oneshot
    
    [Install]
    WantedBy=multi-user.target
    Is it correct? (I am just not 100% sure about the Before and After options)

    Can't say without specific, detailed info.

    So, for instance you should look at what the default SuSEfirewall2 scripts currently say. It's almost certain that they will contain code to both instantiate (or stop) iptables as well as contain configurations.

    Since it appears that you're replacing the existing SuSEfirewall2 scripts completely, you need to make sure you replace all the necessary functionality, which means that if your existing script only modifies you'd need to insert all the other functionality.

    I'd recommend you use the existing SuSEfirewall2 scripts as templates for whatever you wish to do, modifying with your existing script.

    Of course, this all supposes that your existing script can't just modify iptables the way SUSE FW sets up which would be a lot less work.

    TSU

  5. #15

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by tsu2 View Post
    Can't say without specific, detailed info.
    What info would that be? The script is just lines of iptables rules (as shown in a previous post).

    The SuSEfirewall2 scripts are too complicated because they need to read info from what one puts in YaST etc. So I am not going to adopt such complexity, it is not necessary. Actually that is exactly what I am trying to avoid - some complicated script aimed at better desktop usability doing the thinking for me (and logging and so on).

  6. #16
    Join Date
    Jun 2014
    Location
    Italy
    Posts
    76

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    Trying to combine /usr/lib/systemd/system/SuSEfirewall2.service and /usr/lib/systemd/system/SuSEfirewall2_init.service I wrote this:

    Code:
    [Unit]
    Description=My custom firewall
    Before=network.service
    Before=basic.service
    After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service
    
    [Service]
    ExecStart=/usr/local/sbin/my-firewall-start
    ExecStop=/usr/local/sbin/my-firewall-stop
    RemainAfterExit=true
    Type=oneshot
    
    [Install]
    WantedBy=multi-user.target
    Is it correct? (I am just not 100% sure about the Before and After options)
    Uhm, maybe something like this:
    Code:
    [Unit]
    Description=My custom firewall
    Requires=network.service
    Before=network.target
    After=network.service ypbind.service nfs.service nfsserver.service rpcbind.service
    
    [Service]
    ExecStart=/usr/local/sbin/my-firewall-start
    ExecStop=/usr/local/sbin/my-firewall-stop
    RemainAfterExit=true
    Type=oneshot
    
    [Install]
    WantedBy=multi-user.target

  7. #17

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Can you explain the changes you made and the reasons for them?

  8. #18
    Join Date
    Jun 2014
    Location
    Italy
    Posts
    76

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    Can you explain the changes you made and the reasons for them?
    Network.service brings network interfaces up. I assume your script needs that. My changes also ensure your firewall script is executed *after* network.service exits and only if the latter doesn't fail.

    Besides that, "Before=basic.service" should not be necessary.

  9. #19

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by lorenzodes View Post
    Network.service brings network interfaces up. I assume your script needs that. My changes also ensure your firewall script is executed *after* network.service exits and only if the latter doesn't fail.

    Besides that, "Before=basic.service" should not be necessary.
    Hm. But I have adopted those from the original SuSEfirewall2 service files. Are you saying the order in them is wrong too?

  10. #20
    Join Date
    Jun 2014
    Location
    Italy
    Posts
    76

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    Hm. But I have adopted those from the original SuSEfirewall2 service files. Are you saying the order in them is wrong too?

    Here (OSuse 13.2) the SuSEfirewall2 service is split in 2 units: SuSEfirewall2_init.service and SuSEfirewall2.service.

    As far as I can tell you have used the former as template. Can you confirm that?

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •