Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: How to replace openSUSE firewall with a custom script of rules?

  1. #21
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,293
    Blog Entries
    2

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Without looking at your situation closely,

    I'd guess that instead of invoking SuSEfirewall2, you should instead invoke iptables directly and apply your rules.

    I assume timing and application of the firewall and firewall rules should be satisfied by the original SuSEfirewall2 configuration (so may need to retain the original Unit file name).

    In general this is how any use of a template works... When you base your revised on a working original you expect to retain all untouched functionality in the original while inserting your wanted changes.

    TSU

  2. #22

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by lorenzodes View Post
    Here (OSuse 13.2) the SuSEfirewall2 service is split in 2 units: SuSEfirewall2_init.service and SuSEfirewall2.service.

    As far as I can tell you have used the former as template. Can you confirm that?
    Yes and no. As I mentioned I tried to combine both .service files by using the following logic:

    SuSEfirewall2.service wants SuSEfirewall2_init.service which contains:

    Code:
    Before=network.service                                                                                                                                      
    Before=basic.service
    OTOH SuSEfirewall2.service should run:

    Code:
    After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service SuSEfirewall2_init.service
    which means that combined in one single condition this would means my script should run between the same Before and After. So I have combined all these 3 lines from above and removed the trailing "SuSEfirewall2_init.service" in the After as it will not be used.

    BTW I think it might be relevant to add in the Unit also:

    Code:
    Conflicts=SuSEfirewall2.service SuSEfirewall2_init.service
    to ensure both firewalls cannot be started at simultaneously.

    Looking at network.target 2 lines catch my attention:

    Code:
    Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
    After=network-pre.target

    Following the doc link I read:

    network-pre.target is a target that may be used to order services before any network interface is configured. It's primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up. It's a passive unit: you cannot start it directly and it is not pulled in by the the network management service, but by the service that wants to run before it. Network management services hence should set After=network-pre.target, but avoid any Wants=network-pre.target or even Requires=network-pre.target. Services that want to be run before the network is configured should place Before=network-pre.target and also set Wants=network-pre.target to pull it in. This way, unless there's actually a service that needs to be ordered before the network is up the target is not pulled in, hence avoiding any unnecessary synchronization point.
    If I understand correctly this means the firewall service must be set before the network.

    Also because network.target is run after network-pre.target and network.service is a link to /usr/lib/systemd/system/wicked.service which in turn:

    Code:
    Wants=network.target wickedd.service wickedd-nanny.service
    means that any attempt to have a "Requires=network.service" will also make the system Want network.target which is against the docs.

    (the following is just my personal speculation)

    I imagine the following scenario: At boot time there is no network for some reason (wicked failed to connect or something not configured etc). The mandatory "Requires=network.service" makes the firewall service fail = no protection, no masquerade etc. Later on the system administrator fixes the network and starts the network.service but the firewall remains off = security problem. I suppose that's why they make the firewall to be started Before network.service and not fail because of its mandatory requirements.


    Please correct me if I am wrong. I am not an expert, still learning.

  3. #23

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by tsu2 View Post
    Without looking at your situation closely,

    I'd guess that instead of invoking SuSEfirewall2, you should instead invoke iptables directly and apply your rules.
    No guess work needed. That is exactly what I explained earlier

    (so may need to retain the original Unit file name).
    I don't see why that should be needed. I actually see it as an easy way to mess up things.

    In general this is how any use of a template works... When you base your revised on a working original you expect to retain all untouched functionality in the original while inserting your wanted changes.
    The theory is clear. I am actually asking for the practical side here.

  4. #24
    Join Date
    Jun 2014
    Location
    Italy
    Posts
    76

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    As I said, SuSEfirewall2 is split in 2 unit files.

    The first one is executed *before* network interfaces are configured, it sets the default policy for INPUT/FORWARD to DROP and for OUTPUT to ACCEPT. It also ensures that connections from the loopback interface are not blocked (-A INPUT -i lo -j ACCEPT). It also ACCEPTs connections that are RELATED or ESTABLISHED.

    This ensures that the system is protected from the moment the network interfaces are brought up.

    The second unit file is executed after network interfaces are up and it loads the real SuSEfirewall2 iptables rules.

    So, the point is you can't combine the 2 unit files.

    Use SuSEfirewall2.service as a template for a service to launch your iptables script.

    Use SuSEfirewall2_init.service as a template for a service to set some basic iptables rules that protect the system during boot-up and don't need the network interfaces to be already up.

  5. #25

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by lorenzodes View Post
    As I said, SuSEfirewall2 is split in 2 unit files.

    The first one is executed *before* network interfaces are configured, it sets the default policy for INPUT/FORWARD to DROP and for OUTPUT to ACCEPT. It also ensures that connections from the loopback interface are not blocked (-A INPUT -i lo -j ACCEPT). It also ACCEPTs connections that are RELATED or ESTABLISHED.
    That is exactly what my script does too as I explained in post #3 in the thread and...

    This ensures that the system is protected from the moment the network interfaces are brought up.
    ... exactly what I want.

    So, the point is you can't combine the 2 unit files.
    Why? Are you saying that my own iptables rules will fail if loaded before network.service and basic.service but at the same time iptables rules which drop all input and forward will not? If that strangeness is mandatory I might indeed split the script in two parts but first of all I am trying to understand why, so I hope you could explain.

  6. #26
    Join Date
    Jun 2014
    Location
    Italy
    Posts
    76

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    That is exactly what my script does too as I explained in post #3 in the thread and...


    ... exactly what I want.


    Why? Are you saying that my own iptables rules will fail if loaded before network.service and basic.service but at the same time iptables rules which drop all input and forward will not? If that strangeness is mandatory I might indeed split the script in two parts but first of all I am trying to understand why, so I hope you could explain.
    You can't combine those 2 unit files because they are designed to be executed at 2 different times during the boot chain. Randomly mixing them will only cause problems.

    Just to be clear:

    Code:
    Before=network.service
    Before=basic.service
    After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service
    "Before network.service" contradicts "After network.target ypbind.service nfs.service nfsserver.service rpcbind.service".

    If you read "/usr/lib/systemd/system/wicked.service" (which provides network.service), you'll see network.service is designed to be executed *before* network.target. Hence "before network.service" AND "after network.target" is a nonsense.

  7. #27

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Thanks for clarifying. I think I understand what you mean now.

    What would you suggest for ExecStop actions in that case?

    Also - can you recommend some documentation which explains the order of all these systemd services and all the rest of it? You really got my interest to learn more about how the system boots and loads all stuff.

  8. #28
    alanbortu NNTP User

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    On 11/09/2015 05:06 PM, heyjoe wrote:
    > Also - can you recommend some documentation which explains the order of
    > all these systemd services and all the rest of it? You really got my
    > interest to learn more about how the system boots and loads all stuff.


    Code:
    systemd-analyze plot > plot.svg
    That will give you a nice visualization. Just open it with some program
    that can read svg files (use svg because the text will come out
    unreadable if you use png).

    I found http://linoxide.com/linux-how-to/systemd-boot-process/ gave a
    quick overview of the boot process. Its not too in depth but I think it
    gives a good jumping off point with systemd.

    --
    openSUSE Leap (42.1) 64 bit
    Plasma 5

  9. #29

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Thank you alanbortu.

Page 3 of 3 FirstFirst 123

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •