Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 43

Thread: can anyone provide a clear overview of the move to firewalld?

  1. #21

    Default Re: can anyone provide a clear overview of the move to firewalld?

    If I try to disable in console I get:

    Code:
    sudo firewall-cmd --zone=public --remove-service=ssh --permanent
    Warning: NOT_ENABLED: ssh
    success
    asdfg@d:~> sudo firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
    Warning: NOT_ENABLED: dhcpv6-client
    success
    asdfg@d:~> sudo firewall-cmd --list-services
    ssh dhcpv6-client
    Does this make sense at all?
    Kind regards

    raspu

  2. #22
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,803
    Blog Entries
    14

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by suse_rasputin View Post
    If I try to disable in console I get:

    Code:
    sudo firewall-cmd --zone=public --remove-service=ssh --permanent
    Warning: NOT_ENABLED: ssh
    success
    asdfg@d:~> sudo firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
    Warning: NOT_ENABLED: dhcpv6-client
    success
    asdfg@d:~> sudo firewall-cmd --list-services
    ssh dhcpv6-client
    Does this make sense at all?
    Add '--permanent' to the last command
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  3. #23

    Default Re: can anyone provide a clear overview of the move to firewalld?

    OK, that gives:

    Code:
    sudo firewall-cmd --list-services --permanent
    [sudo] password for root:
    i.e. empty, as intended.

    Many thanks for the clarification!

    But what is the output of the command without the "--permanent"?

    Is this the current status of the firewall?
    Kind regards

    raspu

  4. #24

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Here's what I did, after reading all messages in this thread several times and gnashing teeth over how an unsophistciated user like me could transition to firewalld.


    If I missed a step, I hope others will let me know. If I did it right, I hope my steps can help others.


    FWIW: I compute with Network Manager, seek only to connect to the internet -- web surf, email, ftp -- from a single computer, without a network and without the need for remote access. I have the NetworkManager-openvpn package installed, and use a VPN.

    Code:
    sudo systemctl stop SuSEfirewall2
    sudo systemctl disable SuSEfirewall2
    Code:
    sudo systemctl enable firewalld
    sudo systemctl start firewalld
    And then, in Yast:


    Firewall --> install firewall-config utility
    Firewall-config --> Configuration --> Change from 'Runtime' to 'Permanent'
    In default 'public' zone, uncheck dhcpv6 and ssh services


    Close firewall-config, close Yast, reboot computer to test


    Code:
    sudo firewall-cmd --state
    running
    Code:
    sudo firewall-cmd --list-services
    
    
    $
    (With no running services listed, such as the unwanted ssh and dhcpv6-client

    A firewall test at grc.com gave me a 'thumbs up.'


    How'd I do? Did I miss anything?


    And, for the benefit of other Tumbleweed users who may read this thread with worry: were these steps even necessary? As a home user without special needs, could I have continued to use already-installed SuSEfirewall2 for months (or years) to come?

  5. #25

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Code:
     
    sudo firewall-cmd --list-services --permanent
    ... I have no real idea what the output is without the --PERMANENT
    Kind regards

    raspu

  6. #26

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Thanks, raspu. I added the --permanent switch to test. Same results.

  7. #27
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,289
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by Tuner View Post
    Thanks, raspu. I added the --permanent switch to test. Same results.
    The runtime configuration relates to the currently active firewall rules loaded in he running firewall. The permanent configuration consists of rules that are loaded from a configuration file and applied when firewalld is started, or when the rules are reloaded. So, after making changes to a permanent configuration, do
    Code:
    firewall-cmd --reload
    or they will be applied when the firewalld service is restarted.

  8. #28
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,289
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by suse_rasputin View Post
    Code:
     
    sudo firewall-cmd --list-services --permanent
    ... I have no real idea what the output is without the --PERMANENT
    Read the guides.

    This reads the configuration file for rules that will be applied when firewalld is (re)started...
    Code:
    sudo firewall-cmd --list-services--permanent
    Without '--permanent', the current runtime service configuration is shown. Changes to the firewall can be applied immediately (but not persistently) with the runtime configuration, but to be applied persistently, the '--permanent' option is used. This will be used the next time firewalld is started, or just reload the firewall rules to have them applied
    Code:
    sudo firewall-cmd --reload

  9. #29
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,289
    Blog Entries
    1

    Default Re: can anyone provide a clear overview of the move to firewalld?

    Quote Originally Posted by Tuner View Post
    Here's what I did, after reading all messages in this thread several times and gnashing teeth over how an unsophistciated user like me could transition to firewalld.


    If I missed a step, I hope others will let me know. If I did it right, I hope my steps can help others....

    FWIW: I compute with Network Manager, seek only to connect to the internet -- web surf, email, ftp -- from a single computer, without a network and without the need for remote access. I have the NetworkManager-openvpn package installed, and use a VPN.

    A firewall test at grc.com gave me a 'thumbs up.'


    How'd I do? Did I miss anything?


    And, for the benefit of other Tumbleweed users who may read this thread with worry: were these steps even necessary? As a home user without special needs, could I have continued to use already-installed SuSEfirewall2 for months (or years) to come?
    If you have a DSL router connecting you to the internet, that would usually take care of the firewall for you, and mitigate the need for a firewall anyway. Some users do have unknown/untrusted hosts present on a shared LAN, and so prefer the additional protection from potential attacks within the network. In this case, having no services defined in the firewall will still allow basic internet connectivity, but unwanted traffic will be blocked, including service discovery via broadcasts. This might be a problem if you were trying to for examples, detect a remote printer for configuration, or if you had a samba server configured for sharing files.

    With respect to the VPN connectivity:

    1) For PPTP connectivity, connection tracking (built-in to the kernel) takes care of the inbound traffic, so no firewall adjustments should be needed.

    2) For openVPN, UDP port 1194 needs to be open. I think firewalld has the 'openvpn' service defined for this.

  10. #30

    Default Re: can anyone provide a clear overview of the move to firewalld?

    A few more comments:
    When configuring with yast and the connections default to public you have both ethernet and wireles to the same zone and you cannot change one of them. However after changing them from default e.g. to home I could set the other (wireless) interface to external.
    Thanks, suse_rasputin you are right - the configuration should be set to permanent (not runtime) from the start.
    Now I want to create a blacklist of IP addresses and I understand you could enter them under IPSets but this does not seem clear. It says "An IPSet can be used to create white or black lists and is able to store for example IP addresses....". When I highlight the wired connection and go to IPSet and click the plus sign, then a box comes up with fields for Name, Version, Short, Description, Timeout, Hashsize and Maselem. I don't really know what that is about, I only want to create a blacklist. How can I create a blacklist? I normally have IP addresses from Doubleclick, Rubiconproject.com, and other spy, tracking and "advertising" companies in the blacklist.
    Cheers
    Uli

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •