Bring Me Up to Date on openSUSE and the Firewall

Hi:
Some of this is tech I used to know and understand before grey matter began taking over on me.

My first question:
Home Network, going through my own Router, to a Cable Modem/Router.
What would be the preferred zone for my NIC (eth0)? And, why?
I currently have this:

StudioAsus01:~ # firewall-cmd --get-active-zones
docker
  interfaces: docker0
internal
  interfaces: eth0

Do I need/want the docker interface: docker0?
Do I want the eth0 interface to be in the internal zone? Or, would it be better in the home zone?

Next, the following: Does firewall-cmd just automatically use the public zone unless told otherwise?

StudioAsus01:~ # firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker,internal' (see --get-active-zones)
You most likely need to use --zone=docker option.

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Checking docker, I get this:

StudioAsus01:~ # firewall-cmd --zone=docker --list-all
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Is that what I want? Or, not?

Checking internal, I get:

StudioAsus01:~ # firewall-cmd --zone=internal --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: mdns ssh tigervnc tigervnc-https vnc-server
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

That all looks okay to me, but do I want internal or another zone, such as home or work?
Or, do you see something that could pose me a risk? (I really do not trust off-the-shelf routers completely, as they are not supported for very long with security updates. I also never trust ISPs all that much and their own firmware Modem/Routers, especially Canada’s Monopolistic Telecom and Cable Giants.)

I have further questions, but this is a starter.

Thanks for your help.

What’s in a name? You can call zone “gobbledygook” if you want, it won’t change anything. What matters is rules that are configured inside this zone.

Of course it is easier if zone name somehow reflects the intended usage for this zone. Which is the reason why there are multiple existing zones in firewalld distribution. But at the end it is up to you to decide how you will be using zones and what content each zone needs to have.

Does firewall-cmd just automatically use the public zone unless told otherwise?

firewalld (firewall-cmd is just a tool to configure firewalld) has default zone which is used if no zone is explicitly specified. By default it is “public”, that can be changed to any configured zone.

Is that what I want?

You seriously expect us to tell you what you want?

If you need to open specific application/protocol and do not know how to do it, that would be sensible question. “Tell me what I want” is not.

Hi Gerry

Firewalld is well documented and worth a quick read…
https://firewalld.org/documentation/

One of many gentle introductions…
https://www.putorius.net/introduction-to-firewalld-basics.html

The zones can be configured as you wish, so the public (default) zone is okay to start with for most desktop users with a device having a single interface. Allow/block services as required.

If you prefer to configure via a GUI, then install the ‘firewall-config’ utility.

Feel free to ask questions as you progress through this.

Thank you, Deano. I actually did follow the link to the Firewalld online manuals and started going through that. However, since I have not had to really do any Systems work in a few years, I was a bit unclear on some of the things.

The help here has assisted in clarifying what is going on (arvidjaar, none of the documentation is clear that those are just “names”, and since many of us are not actually writing and repairing the software, we have no idea what a developer means if their documentation is unclear. For all we know, those could be some built-in configurations with meaningful consequences and impacts.).

Yes, if I need more help or clarification, I will certainly ask again.

Yes, easy to get out of touch with things that are visited infrequently.

The help here has assisted in clarifying what is going on (arvidjaar, none of the documentation is clear that those are just “names”, and since many of us are not actually writing and repairing the software, we have no idea what a developer means if their documentation is unclear. For all we know, those could be some built-in configurations with meaningful consequences and impacts.).

I’ve found it helpful to inspect the underlying configuration files provided by the firewalld package. (The zones for example, are defined in .xml files located in /usr/lib/firewalld/zones/).

Yes, if I need more help or clarification, I will certainly ask again.

Given your experience, I’m sure things will soon drop into place for you, and you’ll be helping others to get it working as they’d like.

This is a little off subject but I have a similar problem to the op… to many candles on my birthday cake.(75)

Anyway I just reset up my local network -and- I try to document what I am doing, both for myself and any others that read my Web Pages. My question is this: is it unsafe to put your local IP and MAC in a document that is published on the Web?? example

  Wired                  HP Trdm4             192.168.0.11      10.1F.xx.E9.CB.xx
  2.4G Guest Wireless    Asus Dakotah-i7      182.168.0.8       80.86.xx.C6.A8.xx

I purposely put in fake ones here in case it is bad BUT I would like to put the actual ones in the document. I actually have 4 columns of 12 items listed like the above.

Private IP addresses live in your own (LAN), and could really only present risk if someone had access to your public gateway IP address and could access/bypass the associated firewall somehow.

192.168.0.11 is a private address, but 182.168.0.8 isn’t.

henk@boven:~> nslookup 182.168.0.8 
8.0.168.182.in-addr.arpa        name = pb6a80008.tokynt01.ap.so-net.ne.jp. 

Authoritative answers can be found from: 

henk@boven:~>

I suspect that was a typo, and 192.168.0.8 was intended.

It was inside CODE tags. If people can not be trusted to copy/paste then all here things posted here are very suspicious.

We can only ask the poster to clarify. Using CODE tags means nothing.

Of course one can cheat inside and outside CODE tags. But I always hope that I can find at least information to be trusted inside them :\

It’s definitely unsafe to post MAC addresses on Internet – “Media Access Control” addresses –

• They’re pretty much unique (world-wide) and, they’re tied to a particular piece of hardware.
• If, you’re locking down a WLAN (WiFi) by means of the devices’ MAC addresses then, assuming that, someone cracks the SSID password and, they’re spoofing the publicised MAC address(es), your WLAN will be used by uninvited visitors …

If the local IP address is a private IP address then, that is usually not so bad because, of an IP Router’s behaviour with respect to private networks –

• Except for, the WLAN case …

If the local IP address ain’t a private IP address then, it’s probably already published on the Internet by means of a DNS.
[HR][/HR]Bottom line –

• Avoid publishing MAC addresses and private IP addresses on the Internet.

If the said hardware is located within a private network and with an associated private IP address, then it can’t be identified/reached. MAC addresses are only used “internally” within a given subnet. From the context of a private network, they really don’t make it to the outside world (layer 3 routing is used to route packets by IP address). Public wifi presents a different set of risks as you mentioned.

… unless it is from one of us old farts: “Now why in the world did I put my glasses in the fridge???”
rotfl!

Aw, for crying out loud! No wonder I couldn’t find them. And here I was blaming my wife!

Thank you… and to all the others for their replies. This one from deano is what I thought it should be BUT in researching I got all kinds of info. Just like in this post. I couldn’t see how displaying my “private” numbers would be harmful because they are supposed to be “private” and “local” only. I have the system locked and no one can sign in. Unless they have some magical code.

Thanks again to all… (and I am one of the “old farts” )

I meant to say something about this in my previous reply BUT I forgot. Anyway, in my understanding 192.168.0.8 is still private even though it is wireless. The only way it could be accessed is if you knew my sign on… correct??

Thanks

I am not sure what you mean with “knowing your sign on”

A private IP address is an address where traffic to and from it are not handled by routers. Thus the can not go “outside the LAN”.

There are several ranges of private IP addresses: 10.0.0.0/8, 127.16.0.0/12 and 192.168.0.0/16.
It is more or less a habit for Internet Providers to give home users a router that uses at the home LAN 192.168.0.0/24, he router itself using 192.168.0.1 and it’s integrated DHCP server will then give out other addresses in this range. That means that address 192.168.0.8 will be used by probably tens of thousands of systems al over the world.

In short, I can have also a NIC with 192.168.0.8 here in the house. But I could not send packages to your 192.168.0.8 because they will never pass my router, nor will they pass yours or any router in between.

When you have your Wifi access point switched on in your router and protected with a password phrase, and someone connects to it (because (s)he knows that password or breaks the Wifi security), that that system will get an IP address from the router, again in the 192.168.0.0/24 range. After that it will be able to connect to other systems in that LAN. But not all ports will be open on those system, either because there is no server program running to listen on them, or they are protected by other security in those server programs (they e.g. accept only from defined IP addresses) or a firewall on the system.

If the router’s WLAN has a “guest” account then, normally, the guests using the WLAN can not access the LAN associated with that router, or indeed the other guests on the WLAN or, the “non-guest” users on the WLAN (the ones associated with the router’s LAN).