Results 1 to 8 of 8

Thread: SUSE Firewall: set zone per domain, not interface

  1. #1
    Join Date
    Dec 2008
    Location
    Buffalo, MN USA
    Posts
    73

    Question SUSE Firewall: set zone per domain, not interface

    I have no doubt that this has been asked (and answered) multiple times, but I couldn't come up with the search terms needed, so please direct me to that/those discussion(s).

    I have been running OpenSUSE on laptops and servers since 10.3 (now 13.2 & LEAP42,1) and one aspect of the SUSE Firewall that is troubling has to do with using it with a machine that's portable.

    I'd like to be able to automatically set the Firewall zone of my wi-fi interface based on the domain to which I'm connecting.

    E.g., if I connect to myhome.domain.tld the wlan0 interface is automatically placed in the internal zone. If I connect to a different domain, the interface is automatically placed in the external zone.

    Is this possible? if so, how?

    Thanks,
    ron

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,126

    Default Re: SUSE Firewall: set zone per domain, not interface

    On the firewall level, you are talking about IP addresses and networks. Not about domains.
    Henk van Velden

  3. #3
    Join Date
    Dec 2008
    Location
    Buffalo, MN USA
    Posts
    73

    Default Re: SUSE Firewall: set zone per domain, not interface

    Quote Originally Posted by hcvv View Post
    On the firewall level, you are talking about IP addresses and networks. Not about domains.
    And the problem with that approach for workstations (esp. portable laptops) is that there's a likelihood of multiple domains having the same network prefix (192.168.x.x, etc.).

    This seems to be an area where the Windows tool provides a better solution.

    ron

  4. #4

    Default Re: SUSE Firewall: set zone per domain, not interface

    Am Wed, 10 Aug 2016 16:56:01 GMT
    schrieb r widell <r_widell@no-mx.forums.microfocus.com>:


    > Is this possible? if so, how?
    >


    Yes.

    With a Dispatcher script (NetworkManager) or POST_UP_SCRIPT (wicked).

    Hint:

    SuSEfirewall2 --help | grep FILENAME

    file FILENAME same as "start" but load alternate config file FILENAME

    AK

    --
    Never attribute to malice that which can be adequately explained by stupidity.
    (R.J. Hanlon)


  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,268
    Blog Entries
    2

    Default Re: SUSE Firewall: set zone per domain, not interface

    Something else I haven't looked at for a very long time...

    Setting up a network profile at the kernel level.
    In other words, instead of a single interface configured for your network device (eg wlan0), you can remove that and substitute with multiple interfaces associated with your network device, each configured differently(eg one for each wireless domain). And then, because at the lower level you've defined a specific interface with its own unique name a firewall configuration for that interface name should be configurable.

    Most articles on the Internet today reference the RHEL documentation for setting this up, for your purposes substitute your wireless interface name for "eth0" in the documentation
    https://access.redhat.com/documentat...-profiles.html

    One reason why I haven't looked at this for a long time is that for most people I don't know that it provides advantages over using Network Manager.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6

    Default Re: SUSE Firewall: set zone per domain, not interface

    Am Wed, 10 Aug 2016 19:06:02 GMT
    schrieb tsu2 <tsu2@no-mx.forums.microfocus.com>:

    > http://tinyurl.com/z7mdbok


    I hope this was not serious or was it?

    Documentation for RHEL5? Documentation for another distro which is about 10
    years old?

    > One reason why I haven't looked at this for a long time is that for most
    > people I don't know that it provides advantages over using Network
    > Manager.


    Srsly?

    Fun fact, openSUSE once had SCPM for such (and quite a lot more) tasks, but
    that is (at least officially) gone.

    But be it as it may, using respective standard mechanisms for running custom
    commands after $INTERFACE has been brought up can be done with NWM, wicked
    (ifup).

    There are just with minor differences in WHAT to write into WHICH configuration
    file and this still works today no matter what tool you use for configuring
    network devices.

    For ifup/wicked => POST_UP_SCRIPT (see man ifup / man ifcfg)

    For NWM -> Script in /etc/NetworkManager/dispatcher.d (see man NetworkManager,
    section "DISPATCHER SCRIPTS")

    - Write 2 different configuration files for SuSEfirewall2

    - Write respective script (depending on configuration method) being
    called when $INTERFACE has been brought up which is
    a) checking what network it has just been connected to (via ESSID might be an
    idea)

    b) calling SuSEfirewall2 start file $FILENAME according to the result of a)

    - Use the standard method (depending on configuration method) to call that
    script when $INTERFACE has been brought up

    AK

    --
    Never attribute to malice that which can be adequately explained by stupidity.
    (R.J. Hanlon)


  7. #7
    Join Date
    Dec 2008
    Location
    Buffalo, MN USA
    Posts
    73

    Thumbs up Thank you - Re: SUSE Firewall: set zone per domain, not interface

    Thank you to tsu2 and Akoellh.

    I hope to use the directions you provided to expand my knowledge and create the appropriate script to meet my needs.

    If I have detailed questions about why my script doesn't work, I'll start a new thread and refer to this thread for background.

    ron

  8. #8

    Default Re: SUSE Firewall: set zone per domain, not interface

    r widell wrote on Mittwoch, 10. August 2016 18:56 in
    opensuse.org.help.network-internet :

    >
    > I have no doubt that this has been asked (and answered) multiple times,
    > but I couldn't come up with the search terms needed, so please direct me
    > to that/those discussion(s).
    >
    > I have been running OpenSUSE on laptops and servers since 10.3 (now 13.2
    > & LEAP42,1) and one aspect of the SUSE Firewall that is troubling has to
    > do with using it with a machine that's portable.
    >
    > I'd like to be able to automatically set the Firewall zone of my wi-fi
    > interface based on the domain to which I'm connecting.
    >
    > E.g., if I connect to myhome.domain.tld the wlan0 interface is
    > automatically placed in the internal zone. If I connect to a different
    > domain, the interface is automatically placed in the external zone.
    >
    > Is this possible? if so, how?


    In LEAP 42.1 / Networkmanager at the first tab ( ... Settings) is a field to
    choose the firewall zone.

    Actually on my PC there is no zone visible :-\ But maybe this is related to
    my firewall settings. In YaST I see no firewall zones, too. Maybe this is a
    individual problem on my PC.

    Check if you can choose the zone in Networkmanager.

    Bye

    Bernd


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •