Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: How to replace openSUSE firewall with a custom script of rules?

  1. #1

    Question How to replace openSUSE firewall with a custom script of rules?

    I would like to create my own iptables rules from scratch instead of using the YaST > Firewall custom rules.

    If I create my own firewall script with those rules and disable the built-in firewall service of openSUSE - where should I put this script in order the system to run it at proper time during boot? I would like to do it in a clean way so that if I change my mind later I can still go back to the built-in firewall.

    P.S. My main idea is to drop all packets and to allow only what I really need. Does that imply any worse security than the default firewall scheme?

  2. #2
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    P.S. My main idea is to drop all packets and to allow only what I really need. Does that imply any worse security than the default firewall scheme?
    Just from looking at my firewall on Leap, the default seems to do this out of the box and looks pretty secure for most users to me. If you do iptables -L -v -n you should see rules like so (pay attention to bolded):
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    ...
        22  27K input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    Code:
    Chain OUTPUT (policy ACCEPT 1064K packets, 75M bytes)
    26657   48M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    Code:
    Chain input_ext (1 references)
     pkts bytes target     prot opt in     out     source               destination         
      0  238K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
        0    0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0    0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
       0  0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
       0  0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
      0  0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    Explanation (No spoiler tags?):
    Note how iptables has a default policy for INPUT set to drop, this means that any packet that does not match one of the rules will be dropped. In addition, there is a DROP for all packets at the end of the INPUT chain. Note that the LOG above the DROP in the INPUT chain ensures that all these packets get logged so we can always check if there is some communication made that we did not approve of.

    Then the OUTPUT chain is set to ACCEPT all traffic. This is done because the computer will likely need to act as a client various services like HTTP, SSH and so on. The reason its set to accept is to allow use of the high non reserved ports since they are assigned randomly and its not really possible to predict what service will use what port.

    Lastly there is input_ext chain which is actually referenced in the INPUT chain. Since its referenced before the LOG and DROP, iptables will check this chain to see if the packet matches any of the rules here. Notice in this chain there are 3 LOG rules which are used to track what type of traffic is being sent to us if it didnt match the rules above (TCP, ICMP or UDP). After the packets are logged they are dropped.

    IMO these rules are pretty good, it could be hardened further if you are dedicated but I think you should be able to do that with the SuSE firewall, unless you really really want to write all the rules yourself

    Hope that wasnt too much to read...
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  3. #3

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Thanks a lot for taking the time to write that.

    Quote Originally Posted by alanbortu View Post
    Note how iptables has a default policy for INPUT set to drop, this means that any packet that does not match one of the rules will be dropped. In addition, there is a DROP for all packets at the end of the INPUT chain. Note that the LOG above the DROP in the INPUT chain ensures that all these packets get logged so we can always check if there is some communication made that we did not approve of.
    Actually the policy seems to be:

    1. Accept all on lo
    2. Accept related and established on all interfaces
    3. Accept ICMP
    4. Accept all input on internal interace
    5. Log all (with some limit burst etc)
    6. And just after all that - drop


    And what I want is something like:

    Code:
    #!/bin/bash
    ipt=`which iptables`
    
    $ipt -F
    $ipt -t nat -F
    
    $ipt -P INPUT DROP
    $ipt -P FORWARD DROP
    
    $ipt -A INPUT -i lo -j ACCEPT
    $ipt -A INPUT -s 127.0.0.1/8 -i ! lo -j LOG
    $ipt -A INPUT -s 127.0.0.1/8 -i ! lo -j DROP
    
    # and then allow only what I really need
    I am not sure I want all the logging which SuSEfirewall2 does by default. Why would I fill my journal with that info? I suppose cleaner approach would be: if some program doesn't work, use tcpdump to see what it needs and add it to the custom script as a rule.

    Then the OUTPUT chain is set to ACCEPT all traffic. This is done because the computer will likely need to act as a client various services like HTTP, SSH and so on. The reason its set to accept is to allow use of the high non reserved ports since they are assigned randomly and its not really possible to predict what service will use what port.
    I certainly don't want anything happening randomly. No program should communicate without being explicitly allowed. Imagine this machine used as as a router and there are Windows machines in the LAN. Some of the machines might get infected by something at any time and start sending and receiving info randomly (not that Windows is not a spyware by itself but that's another story). You get the point.

    I also don't want to forward all ports for all protocols to all the world.

    Also - why would I want all the icmp related accepts which SuSEfirewall2 offers by default? I don't want even to be pinged (except from a few known hosts).

    I hope that makes clear why I am looking for a solution with full control over all this.

  4. #4
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    Code:
    #!/bin/bash
    ipt=`which iptables`
    
    $ipt -F
    $ipt -t nat -F
    
    $ipt -P INPUT DROP
    $ipt -P FORWARD DROP
    
    $ipt -A INPUT -i lo -j ACCEPT
    $ipt -A INPUT -s 127.0.0.1/8 -i ! lo -j LOG
    $ipt -A INPUT -s 127.0.0.1/8 -i ! lo -j DROP
    
    # and then allow only what I really need
    I am not sure I want all the logging which SuSEfirewall2 does by default. Why would I fill my journal with that info? I suppose cleaner approach would be: if some program doesn't work, use tcpdump to see what it needs and add it to the custom script as a rule.

    I certainly don't want anything happening randomly. No program should communicate without being explicitly allowed. Imagine this machine used as as a router and there are Windows machines in the LAN. Some of the machines might get infected by something at any time and start sending and receiving info randomly (not that Windows is not a spyware by itself but that's another story). You get the point.

    I also don't want to forward all ports for all protocols to all the world.

    Also - why would I want all the icmp related accepts which SuSEfirewall2 offers by default? I don't want even to be pinged (except from a few known hosts).

    I hope that makes clear why I am looking for a solution with full control over all this.
    Ah you didn't mention you wanted to use this as a router

    There is a configuration file for susefirewall located at /etc/sysconfig/SuSEfirewall2 (https://en.opensuse.org/SuSEfirewall2) which may help you out with some of what you want. Perhaps the best way to set it would be with a systemd service for your custom rules? You could just tell it when to start and it should work... but I havent tried this before so maybe someone else can help with that

    Best of luck.
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  5. #5

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by alanbortu View Post
    You could just tell it when to start and it should work... but I havent tried this before so maybe someone else can help with that
    That's what I am here for

  6. #6
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Quote Originally Posted by heyjoe View Post
    That's what I am here for
    There is some documentation here:
    http://www.freedesktop.org/software/...temd.unit.html
    https://wiki.archlinux.org/index.php...ing_unit_files
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  7. #7

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    In /usr/lib/systemd/system I see:

    Code:
    -rw-r--r--  1 root root   423 Jun 27 12:44 SuSEfirewall2.service
    -rw-r--r--  1 root root   240 Jun 27 12:44 SuSEfirewall2_init.service
    Is it appropriate to use one of them (which one if yes?) as a template and put my own firewall script in the ExecStart? Then I will simply enable my service and disable the SuSEfirewall2 one. Would that be a clean solution?

  8. #8

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    I still hope someone can answer as I couldn't find info how to properly activate the custom script. I don't want to break anything.

  9. #9
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,925
    Blog Entries
    2

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    Without digging into why your script may not work (if you want help with this, start with providing a link to whatever you're using to guide your efforts),

    You should know that SUSE FW is only one iptables management app.
    It's pretty well known that SUSE FW is a fairly simple tool which only supports most common User scenarios.


    Searching the OSS,
    Code:
    zypper se firewall
    Returns a couple tools "Firewall Builder" and "Firewall Configuration" which might be of interest (I haven't used either).


    Searching the OSS, it looks like there is an alternative to to SUSE FW called xfw.
    You may want to try uninstalling SUSE FW and installing ufw
    Code:
    zypper rm SuSEfirewall2 yast2-firewall && zypper in xfw
    You can also download iptables firewall config and managers from non-openSUSE sources, just be sure to uninstall SuSEfirewall2 first.

    TSU

  10. #10

    Default Re: How to replace openSUSE firewall with a custom script of rules?

    I don't want to install other firewalls. I can write my own iptables lines. My script will work - it has worked for years on an older router and on a different distro, so the script itself is ok. It is similar to this one but not identical.

    I understand that the SuSEfirewall2 service needs to be disabled. I know how to do that in YaST. The only question is how to make my script run on boot, i.e. register it as a service with proper parameters.

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •