11.4 new install, how to operate Firewall?

I have done a new install of 11.4 and as with previous versions, I have to go to YAST2 and disable the firewall before I have internet and local network access. Finally I must find out how to do this correctly.

How to I change the default firewall to allow me internet and local network access without disabling it completely?

Also I am unclear about the function of Novel Network Armor? What does this do?

Thanks - I am an advanced newbie (and probably always will be).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It sounds like you’re saying that you need to modify the firewall in order
for this 11.4 server to access other things on the network, which is
definitely not true. The default firewall rules block incoming requests,
not outgoing requests.

If you are wanting to know how to allow access to this 11.4 system from
other things (whether on your local network or the Internet) then how you
configure your firewall depends on which services you want to allow. If
you want to allow SSH, allow SSH… httpd? httpd. There are nice little
drop-downs from which you can choose/select/enable specific ports in Yast:

sudo /sbin/yast firewall

Good luck.

On 05/25/2011 07:36 AM, georgeinacton wrote:
>
> I have done a new install of 11.4 and as with previous versions, I have
> to go to YAST2 and disable the firewall before I have internet and local
> network access. Finally I must find out how to do this correctly.
>
> How to I change the default firewall to allow me internet and local
> network access without disabling it completely?
>
> Also I am unclear about the function of Novel Network Armor? What does
> this do?
>
> Thanks - I am an advanced newbie (and probably always will be).
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN3RHsAAoJEF+XTK08PnB5tlEQAKTMkVi83io2juaJ73PdNwt5
r8KjYX42eFwPcFUNsrQHnkhfJMVBzj8LgSLqQMOQluWHX9FokcgjC4gj733SjpcB
7VdhvGHgAskZEEfUcjc00D5tu+CGodhjJXyio2YPTef29HrXzEGHUq5Wir8WjiRq
tr8PFZ/YEl81eWz53tPt2C4qnrHGIs8IPBGcJ1OSeqL7sFuC4BaQg2+DYvfIYrxf
sxAefCCvzKnlcqsoQlu/jWfLtB6KTUmzXuELIgVGF51JP1qf5vLSKnYJISzzwhcF
d3zojzK9D3EQq3Y9cuQEbFq+bw5hkEJ+i9e9u+eEcTx1kd3ml0/kwpx4G3dxD/tm
4JmvWGEITqC2GBZyz6h+nGIMCwjUFVdQRVcKW8fNZjUnigI0rhm0NKhC/Te4dGG0
K4zxWv0dr7vHimEq6UwXhb9k3YvhOjvSWwmSP0CxFUZ2a5Gp8Fdj3vKPGuF2/+qi
oIHWfk8WKdKGLaIXaZvvA9b0DLjOT3vE5kjJNOlHN5i8c9VHd7463UcqczZdQcoT
uA3MPqOXWLyBT8FCgTNnkKiLXAqFrP3/bgo/xCOXNwnLZ8wkVmKmhXPdALCJJK4W
dgQ+DyDP0hFq/0NoNSfGw+zz10r+cHalWQCHdHLwMCPJbT1xfDpL8NShr7T18h0j
+wF/v9ygDgAt2V4XHPBz
=gmoU
-----END PGP SIGNATURE-----

Hello,
you can read about firewalls in general and configuring the Firewall with YaST here: Chapter

Thank you for the link and for the tip about allowing services. Obviously I have lots to learn. The info at the link will no doubt be helpful but probably too technical for me at my current state of knowlege.

My simple observation is that with Firewall enabled, I have 1) no local network access (looking outward from this new 11.4) or 2) internet access from this machine (Firefox does not find wesites. With the firewall disabled, both of these functions work. I don’t think that I am supposed to operate with the firewall disabled?

I don’t think that I am supposed to operate with the firewall disabled?

Certainly not. Try to configure your firewall with yast. Assign your network interface card as external and close all ports to start with. The firewall will not prevent you from browsing the outside world.

Thank you. I will experiment with that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

K, neat observation, so now we troubleshoot. Post the output from the
following commands:

ip addr
ip route
ip -s link
grep -v ‘^#’ /etc/resolv.conf
ping -c 2 8.8.8.8
ping -c 2 google.com
ping -c 2 novell.com
ping -c 2 130.57.5.70

Good luck.

On 05/25/2011 09:36 AM, georgeinacton wrote:
>
> Thank you. I will experiment with that.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN3SThAAoJEF+XTK08PnB5FToQAM4ly0inD6UUr3PzZTo8g6G5
rUs2bNsuA2wvxiD8qvDziKqnFTa+W/uPYI/Ry1WajTfMbzC2zLVEyVcskGFciQ8x
f9jqhtRAh5TxuzYt7Hyz3xYgIRaERtfQqQVpNvUbTJnT7GIsppEHMpOP4vy1g9sV
Fmw7lzIx65Hvnh+SQnNshZgF0/+GtNDVrOU3jpNpe1BGbK8o4kYBnWZJQNOXmqw2
ZGhJYmKTMNZCtXgLmZO6PRY8gz/L93o6r2zlclzHpmdTd2tpO+FoMlGd/Umfu3Mm
8pB5JG4/h4FnwpGkN2wZfsGuJ4EVUEjIgiP78oe+Hgh3T0vmxQCRzDSR8SnMoglV
gMR88ZLKq+7nL3ttJvyZ+djmJnFw/ZEjFoWAUwClKL7OA3ZV1Akrnu4FajltDmy8
bc/GzZagPn378sNwLwUwRJHhj21gXH79glXnvb/iVrvcan+yLMW5BcPt1+J3PX6+
aHo4OMWMf0hbAshMPa0aMtSqLCMJDvXYh2VwB/FTkiHGATa87eI/6brEkAtKBmIy
qTZXAXS6j15shEwOXUkkUEZ4h23QhGrUJTR46nejTsJIaiMohBZIcdiGE3rWNxJ1
XzDBbXraKJuva4F6+vwoPqlc8zK2t2DukTmAWpVGahYxJCXCYS1YB/cWugGfFIUR
ooLp0ZOEPP2TpeZBohVH
=j4Fz
-----END PGP SIGNATURE-----

Now I check again and with the firewall ON or OFF I have web access, unlike this morning!I do not see the Once again I checked access to my local network and with the firewall ON I do not see the local machines yet with the firewall OFF I do see them.

I am doing your tests with the firewall ON:

*george@linux-mii1:~> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0b:cd:66:e8:6c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.14/24 brd 192.168.1.255 scope global eth0
inet6 fe80::20b:cdff:fe66:e86c/64 scope link
valid_lft forever preferred_lft forever
*

*george@linux-mii1:~> ip route
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.14
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0
*

*george@linux-mii1:~> ip -s link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
23267 316 0 0 0 0
TX: bytes packets errors dropped carrier collsns
23267 316 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0b:cd:66:e8:6c brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
11412110 19799 0 8219 0 0
TX: bytes packets errors dropped carrier collsns
739669 6615 0 0 0 0 *

*george@linux-mii1:~> grep -v ‘^#’ /etc/resolv.conf
nameserver 192.168.1.1
*

*george@linux-mii1:~> ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=47 time=92.9 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=47 time=101 ms

— 8.8.8.8 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 92.931/97.370/101.809/4.439 ms
*

*george@linux-mii1:~> ping -c 2 google.com
PING google.com (74.125.91.106) 56(84) bytes of data.
64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=1 ttl=44 time=144 ms
64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=2 ttl=44 time=262 ms

google.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 144.675/203.393/262.111/58.718 ms*

*george@linux-mii1:~> ping -c 2 novell.com
PING novell.com (130.57.5.70) 56(84) bytes of data.

novell.com ping statistics —
2 packets transmitted, 0 received, 100% packet loss, time 1006ms
*

*george@linux-mii1:~> ping -c 2 130.57.5.70
PING 130.57.5.70 (130.57.5.70) 56(84) bytes of data.

— 130.57.5.70 ping statistics —
2 packets transmitted, 0 received, 100% packet loss, time 1007ms
*

After the negative result on the last two, I went back and ping’d google again and got:

*george@linux-mii1:~> ping -c 2 google.com
PING google.com (74.125.91.106) 56(84) bytes of data.
64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=1 ttl=44 time=120 ms
64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=2 ttl=44 time=138 ms

google.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 120.472/129.407/138.342/8.935 ms
*

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That sounds like it is working properly… for some reason I cannot ping
novell.com either so that does not matter. Internet access seems to work
per your description.

Local network access is another issue. How do you expect to be able to
“see” other machines on your network? Tried pinging them by IP address?
Allowed whichever protocol(s) you are trying to use?

Good luck.

On 05/25/2011 04:06 PM, georgeinacton wrote:
>
> Now I check again and with the firewall ON or OFF I have web access,
> unlike this morning!I do not see the Once again I checked access to my
> local network and with the firewall ON I do not see the local machines
> yet with the firewall OFF I do see them.
>
> I am doing your tests with the firewall ON:
>
> -george@linux-mii1:~> ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
> link/ether 00:0b:cd:66:e8:6c brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.14/24 brd 192.168.1.255 scope global eth0
> inet6 fe80::20b:cdff:fe66:e86c/64 scope link
> valid_lft forever preferred_lft forever
> -
>
> -george@linux-mii1:~> ip route
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.14
> 169.254.0.0/16 dev eth0 scope link
> 127.0.0.0/8 dev lo scope link
> default via 192.168.1.1 dev eth0
> -
>
> -george@linux-mii1:~> ip -s link
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> RX: bytes packets errors dropped overrun mcast
> 23267 316 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 23267 316 0 0 0 0
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
> link/ether 00:0b:cd:66:e8:6c brd ff:ff:ff:ff:ff:ff
> RX: bytes packets errors dropped overrun mcast
> 11412110 19799 0 8219 0 0
> TX: bytes packets errors dropped carrier collsns
> 739669 6615 0 0 0 0 -
>
> -george@linux-mii1:~> grep -v ‘^#’ /etc/resolv.conf
> nameserver 192.168.1.1
> -
>
> -george@linux-mii1:~> ping -c 2 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> 64 bytes from 8.8.8.8: icmp_req=1 ttl=47 time=92.9 ms
> 64 bytes from 8.8.8.8: icmp_req=2 ttl=47 time=101 ms
>
> — 8.8.8.8 ping statistics —
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 92.931/97.370/101.809/4.439 ms
> -
>
> -george@linux-mii1:~> ping -c 2 google.com
> PING google.com (74.125.91.106) 56(84) bytes of data.
> 64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=1 ttl=44
> time=144 ms
> 64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=2 ttl=44
> time=262 ms
>
> — google.com ping statistics —
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 144.675/203.393/262.111/58.718 ms-
>
> -george@linux-mii1:~> ping -c 2 novell.com
> PING novell.com (130.57.5.70) 56(84) bytes of data.
>
> — novell.com ping statistics —
> 2 packets transmitted, 0 received, 100% packet loss, time 1006ms
> -
>
> -george@linux-mii1:~> ping -c 2 130.57.5.70
> PING 130.57.5.70 (130.57.5.70) 56(84) bytes of data.
>
> — 130.57.5.70 ping statistics —
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms
> -
>
> After the negative result on the last two, I went back and ping’d
> google again and got:
>
> -george@linux-mii1:~> ping -c 2 google.com
> PING google.com (74.125.91.106) 56(84) bytes of data.
> 64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=1 ttl=44
> time=120 ms
> 64 bytes from qy-in-f106.1e100.net (74.125.91.106): icmp_req=2 ttl=44
> time=138 ms
>
> — google.com ping statistics —
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 120.472/129.407/138.342/8.935 ms
> -
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN3ZW5AAoJEF+XTK08PnB5P7sP/RbCA5ud1pgCk7043fgPaRDO
+FwfZWu2QKmTd+h8WOGifv3TCIg8cOIX6eN2h894jIKRL01eDFfyC74PYsdwK2I7
eSE9jboNd3D1XM0MuLmO9fikVPuSTskTrXalKlTZogvujvKct3XTTyUGW38bVNZR
CZZG9ewBbWpKKuQ4UV/z8KddMl6aQSlYAXsJB0zWDLGuBASYjX+hfWpzv/z2eCIQ
zSNxKbdYk7MWX47EmK96bPGYMFgB0g4nxXOF4VLfcVLnaYQW3DUsGbImG/rgRszP
/e6OYjH4G6VZWOn2aMfdtFU/VEEJRRV7BAyuotewouu6KZWXcrGe52wEv693/0Qv
U0KbKAdyDaokbe0u7RXHYa1H2a5KsrIHruGiColNacRPFMj6UNElwj14XO0eVjdD
8cPM2V241MYcujgG0PwMVPWkhtaDme/RQEy5SVbx/ZXA+4sYR4itkSyzIN8HOG7h
FFGErca2KA2C1k6G7/qUe/xK81wKGJiP9f1yryiZI36zOeYj6mavu6eJw4lPQho4
aLuQ6v1Dd0RMA4H08579gW/YIyMr5kWhV5thaiTXGhUbu1qx9+eO4g1EVoWDefI2
YtMuzv8wSJremE7wdNhNdX57wwrvE4uR6w8m+uxmRow7xiGo2rN18ZlscSIlJn17
mGqeQhI3ZhHpIWEuh+BK
=ZF4q
-----END PGP SIGNATURE-----

Thank you.
To try to “see” local machines I go to Dolphin > Network > Samba Shares.
Firewall ON - does not work
Firewall OFF - works

There is an excellent graphical guide for allowing samba services here:

Samba and Suse: HowTo Set up an openSUSE-Windows Home Office LAN/Network. Versions 11.x

On Wed May 25 2011 07:36 pm, georgeinacton wrote:

>
> Thank you.
> To try to “see” local machines I go to Dolphin > Network > Samba
> Shares.
> Firewall ON - does not work
> Firewall OFF - works
>
>
georgeinaction;

You need to allow the “Netbios Server”, “Samba Client” and if you want to
share files with other machines, “Samba Server”. It is recommended you
allow “Samba Server” but not completely necessary. Go to YaST > Security and
Users > Firewall > Allowed Services, then enable Netbios Service, Samba
Client and Samba Server.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

hello venzep and thanks.

I did as you suggested and I enabled the three services.

Now on this 11.4 machine, I can see the other local network computers and drives. However I do not see this machine from the others? Do I need to activate Samba Server?

Do I need to enter the workgroup name somewhere? This machine sees the two local workgroups but it is not part of one of them?

One more question: how do I change the name of this machine as it appears on the network? As installed, it has the default name of “linux-miil”

Now on this 11.4 machine, I can see the other local network computers and drives. However I do not see this machine from the others? Do I need to activate Samba Server?

Yes, here is described how you can do it: Chapter.
See point 29.4.1. Configuring a Samba Server with YaST

Do I need to enter the workgroup name somewhere? This machine sees the two local workgroups but it is not part of one of them?

if you will use only client then you can do it in dialog Yast+Network Services+Windows Domain Membership.

One more question: how do I change the name of this machine as it appears on the network? As installed, it has the default name of “linux-miil”

Host name can be changed from Yast/Network Settings

isemionov - thank you!

I did read over the reference on setting up Samba with YAST. Much of it goes over my head however. I am an “advanced beginner only”

I did activate Samba server and I realized that I had it running on the 11.3 machine that is visible over the local network to the Windows machines but this 11.4 machine still is not visible to the others. I have carefully compared all the settings in Firewall, Network Settings and Samba Server between the 11.3 and the 11.4 machines and I believe that the two are set up the same. I did manage to change the name of the 11.4 machine as you showed me. I also downloaded and installed 178 updates and rebooted.

But the 11.4 machine is still not visible to the others on the network.

Any further advice or suggestions would be appreciated.

Go to:
Yast > Novell AppArmor > AppArmor Control Panel > Configure profiles
and set AppArmor to complain for both usr.sbin.nmbd and usr.sbin.smbd rather
than enforce.

Or just disable AppArmor at all from Yast/AppArmor Control Panel

After this restart samba

sudo rcsmb restart

also you have to set the password for user want to login in linux server

sudo smbpasswd -a <your linux user name>

after login to \YOUR_LINUX_SERVER\YOUR_LINUX_USER_NAME you will see your linux home folder.
Additionally you can add other shares for other directories

isemionov - thank you.

I disabled AppArmor. While attempting to restart Samba with your instruction, I get “rcsmb” command not found. Is there a typo? So I restarted the system, thinking it would accomplish the same thing.

NOW - I see the 11.4 machine in SMB window on that same machine for the first time but NOT yet in the other linux machine (11.3)!!??

Also, I did the smbpasswd thing and that seemed to work but I cannot access - it keeps asking me for the username and password - over and over and over.

One step forward, one step back

While attempting to restart Samba with your instruction, I get “rcsmb” command not found. Is there a typo?

Its because the path for this command needed to be specified

sudo /usr/sbin/rcsmb restart

Alternatively

su -c 'rcsmb status'

did you set Service Start - During Boot during samba server configuration (Yast/Network Services/Samba server)?
also set on both suse machines “Open Port in FIrewall” (also here Yast/Network Services/Samba server)
check if samba service is working like this:


sudo /etc/init.d/smb status
root's password:
Checking for Samba SMB daemon                                                        running

NOW - I see the 11.4 machine in SMB window on that same machine for the first time but NOT yet in the other linux machine (11.3)!!??

Did you set the same workgroup on both machines ? Try to access it by ip address.

Also, I did the smbpasswd thing and that seemed to work but I cannot access - it keeps asking me for the username and password - over and over and over.

it should work, what was the output of smbpasswd?
it shoud look like:


smbpasswd -a test2
New SMB password:
Retype new SMB password:
Added user test2.

When you have setup samba server I hope you’ve indicated that it is not a domain controler?

On Thu May 26 2011 02:06 pm, georgeinacton wrote:

>
> isemionov - thank you.
>
> I disabled AppArmor. While attempting to restart Samba with your
> instruction, I get “rcsmb” command not found. Is there a typo? So I
> restarted the system, thinking it would accomplish the same thing.
>
> NOW - I see the 11.4 machine in SMB window on that same machine
> for_the_first_time but NOT yet in the other linux machine (11.3)!!??
>
> Also, I did the smbpasswd thing and that seemed to work but I cannot
> access - it keeps asking me for the username and password - over and
> over and over.
>
> One step forward, one step back
>
>
georgeinaction;

This HowTo will help you setup Samba on both Linux Machines.

http://opensuse.swerdna.org/suselanprimer.html

Set the following three parameter on only one machine:


local master = Yes
Preferred master = yes
os level = 65

On ll.4 it is quite difficult to fully disable go to YaST>Novell
AppArmor>AppArmor Control Panel>Set Profile Mode and set both
usr.sbin.smbd and usr.sbin.nmbd to complain rather than enforce.

Make sure smb and nmb are both set to start at boot on all machines.
YaST>System>System Services(Runlevel) and make sure both the above are
enabled.

If you are still having problems, please post the contents of
your /etc/samba/smb.conf for each linux machine.


P. V.
“We’re all in this together, I’m pulling for you.” Red Green