Page 1 of 5 123 ... LastLast
Results 1 to 10 of 43

Thread: can anyone provide a clear overview of the move to firewalld?

  1. #1
    Join Date
    Feb 2016
    Location
    Berlin
    Posts
    350

    Default can anyone provide a clear overview of the move to firewalld?

    after reading https://forums.opensuse.org/showthre...rewall-in-YaST
    im slightly confused and concerned about how the firewall is operating and configured on my system. The post claims TW has moved to firewalld but systemctl status firewalld.service shows the service as dead. systemctl status SuSEfirewall2.service suggests susefirewall still operating.

    so how should users proceed? i assume set up the firewalld configs, enable and then disable susefirewall? are there any hints/tutorials on this for typical desktop system? should users wait for yast integration or further additions?

    perhaps this should have been more clearly communication to TW users? thanks for any advice.

  2. #2

    Default Re: can anyone provide a clear overview of the move to firewalld?

    What I learned on my TW machines:

    - Susefirewall2 is still running

    - But the service tool in Yast is gone (irreversible, as it seems)

    On the other hand:

    - firewalld is disabled (YaST: Service Manager)

    - But the Yast Firewall tool tries to contact firewalld...

    So far so good. Kind of mix-up...
    Kind regards

    raspu

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    17,615
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by ndc33 View Post
    after reading https://forums.opensuse.org/showthre...rewall-in-YaST
    im slightly confused and concerned about how the firewall is operating and configured on my system. The post claims TW has moved to firewalld but systemctl status firewalld.service shows the service as dead. systemctl status SuSEfirewall2.service suggests susefirewall still operating.
    That's deliberate AFAIU, so that SuSEfirewall2 users arn't crippled suddenly, but the move was discussed in the mailing list (although I didn't see any announcements), and I linked to a mailing list thread discussing it....
    https://forums.opensuse.org/showthre...62#post2851862

    so how should users proceed? i assume set up the firewalld configs, enable and then disable susefirewall? are there any hints/tutorials on this for typical desktop system? should users wait for yast integration or further additions?
    There is 'susefirewall2-to-firewalld' package containing a migration script that is supposed to help with this. I haven't investigated further as I'm not using TW. Those comfortable with firewalld can configure via CLI or graphically using the 'firewall-config' utility.
    https://software.opensuse.org/packag...irewall-config
    perhaps this should have been more clearly communication to TW users? thanks for any advice.
    Yes, I agree that it could have been announced better.

  4. #4

    Default Re: can anyone provide a clear overview of the move to firewalld?

    I switched only 2 machines with TW yet, but what I found on both on activation of firewalld:

    The network card was switched to "PUBLIC" as the default profile, which is OK, but:

    This PUBLIC profile on both machines allowed by default:

    - IPv6DHCP
    - ssh

    If I want something NOT allowed by default in public, it's ssh (and the ipv6 stuff at least the same). That's strange imho...
    Kind regards

    raspu

  5. #5
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    17,551
    Blog Entries
    13

    Default FYI ....Re: can anyone provide a clear overview of the move to firewalld?

    Yes, I've had some issues with the switch to firewalld. After reading some ML posts, I knew that the firewall-cmd command was what's needed. Did half an hour of reading the man page and now firewalld is running in a config that has the same effect as my SuSEfilewall2 had. Main commands (run as root) that helped me:
    Code:
    firewall-cmd --get-services
    This produces a list of know services. To open ports for a webserver, and make that persistent:
    Code:
    firewall-cmd --permanent --add-service=http --add-service=https
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  6. #6

    Default Re: can anyone provide a clear overview of the move to firewalld?

    ...switched another TW, again, ssh and ipv6dhcp were allowed in firewalld default "public" profile of the active network device (in this case: a wifi card...). Not nice.
    Kind regards

    raspu

  7. #7

    Default Re: can anyone provide a clear overview of the move to firewalld?

    I followed this post with great interest and spend a few hours reading the documentation (http://www.firewalld.org/documentation/) but I am still quite confused. A lot of those descriptions are quite general and may be OK for computer experts but not for someone like me who learned by doing (and with a lot of help from you guys in the forum here) to administrate a small network for our small business and private computer use. I found for example in /etc/firewalld the file lockdown-whitelist.xml. I was really looking for a blacklist and I don't understand what is the whitelist file either - e.g. things like <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>.
    further it refers to a file /usr/bin/firewall-config which does not seem to exist in my system. however the cammand shows:
    Code:
    firewall-cmd --list-services
    FirewallD is not running
    
    So obviously this is still work in progress. Hopefully we will get more information how to use it in future. I for example am happy with the zone "public" on the ethernet cable but I would like to have "external" or similar on WiFi. Ethernet is our home/business network, WiFi could be any public area. Further how you can easily block e.g. IP addresses. From the concepts page (http://www.firewalld.org/documentation/concepts.html) I see that iptables is stil in the backend and I am happy to use commands like "-A INPUT -d 172.253.0.0/16 -j REJECT"
    So I appreciate all the work which goes in but I hope for some more explanations (with examples) for non-eperts like me.
    Cheers
    Uli

  8. #8
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    17,615
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by fuerstu View Post

    further it refers to a file /usr/bin/firewall-config which does not seem to exist in my system.
    You would need to install the firewall-config' package first.

  9. #9
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    17,615
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    The firewalld documentation can be found here:

    http://www.firewalld.org/documentation/

    The graphical 'firewall-config' UI is useful for those average users who need to check or modify the firewall settings. It seems pretty intuitive to me. However, as 'suse_rasputin' mentioned 'ssh' is allowed by default for public (deafult zone) and the external zone (if chosen). I think the rationale behind this might be to prevent against accidental lockout from a remote server situation which is likely being administrated via ssh, but I would expect most experienced admins not to get caught out like this.

  10. #10
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    8,822
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by suse_rasputin View Post
    ...switched another TW, again, ssh and ipv6dhcp were allowed in firewalld default "public" profile of the active network device (in this case: a wifi card...). Not nice.
    I'm sure that a decision was made to allow those services even on a public interface by default is because if you apply a default configuration to a remote machine you wouldn't want to experience a nasty surprise blocking your networking connection without any way to recover.

    You can certainly close those ports if you wish to.

    The firewalld documentation lists each recommended default zone configuration at the following link

    http://www.firewalld.org/documentati.../examples.html

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •