so how should users proceed? i assume set up the firewalld configs, enable and then disable susefirewall? are there any hints/tutorials on this for typical desktop system? should users wait for yast integration or further additions?
perhaps this should have been more clearly communication to TW users? thanks for any advice.
so how should users proceed? i assume set up the firewalld configs, enable and then disable susefirewall? are there any hints/tutorials on this for typical desktop system? should users wait for yast integration or further additions?
There is ‘susefirewall2-to-firewalld’ package containing a migration script that is supposed to help with this. I haven’t investigated further as I’m not using TW. Those comfortable with firewalld can configure via CLI or graphically using the ‘firewall-config’ utility. https://software.opensuse.org/package/firewall-config?search_term=firewall-config
perhaps this should have been more clearly communication to TW users? thanks for any advice.
Yes, I agree that it could have been announced better.
Yes, I’ve had some issues with the switch to firewalld. After reading some ML posts, I knew that the firewall-cmd command was what’s needed. Did half an hour of reading the man page and now firewalld is running in a config that has the same effect as my SuSEfilewall2 had. Main commands (run as root) that helped me:
firewall-cmd --get-services
This produces a list of know services. To open ports for a webserver, and make that persistent:
…switched another TW, again, ssh and ipv6dhcp were allowed in firewalld default “public” profile of the active network device (in this case: a wifi card…). Not nice.
I followed this post with great interest and spend a few hours reading the documentation (http://www.firewalld.org/documentation/) but I am still quite confused. A lot of those descriptions are quite general and may be OK for computer experts but not for someone like me who learned by doing (and with a lot of help from you guys in the forum here) to administrate a small network for our small business and private computer use. I found for example in /etc/firewalld the file lockdown-whitelist.xml. I was really looking for a blacklist and I don’t understand what is the whitelist file either - e.g. things like <selinux context=“system_u:system_r:virtd_t:s0-s0:c0.c1023”/>.
further it refers to a file /usr/bin/firewall-config which does not seem to exist in my system. however the cammand shows:
firewall-cmd --list-services
FirewallD is not running
[FONT=arial]So obviously this is still work in progress. Hopefully we will get more information how to use it in future. I for example am happy with the zone “public” on the ethernet cable but I would like to have “external” or similar on WiFi. Ethernet is our home/business network, WiFi could be any public area. Further how you can easily block e.g. IP addresses. From the concepts page ([/FONT]http://www.firewalld.org/documentation/concepts.html) I see that iptables is stil in the backend and I am happy to use commands like “-A INPUT -d 172.253.0.0/16 -j REJECT”
So I appreciate all the work which goes in but I hope for some more explanations (with examples) for non-eperts like me.
Cheers
Uli
The graphical ‘firewall-config’ UI is useful for those average users who need to check or modify the firewall settings. It seems pretty intuitive to me. However, as ‘suse_rasputin’ mentioned ‘ssh’ is allowed by default for public (deafult zone) and the external zone (if chosen). I think the rationale behind this might be to prevent against accidental lockout from a remote server situation which is likely being administrated via ssh, but I would expect most experienced admins not to get caught out like this.
I’m sure that a decision was made to allow those services even on a public interface by default is because if you apply a default configuration to a remote machine you wouldn’t want to experience a nasty surprise blocking your networking connection without any way to recover.
You can certainly close those ports if you wish to.
The firewalld documentation lists each recommended default zone configuration at the following link
Thanks, deano_ferrari, at the moment there is no GUI - I have installed this firewall-config package as you wrote but my system seems to be still on susfirewall2. When I open the GUI in yast it wants to connect to firewalld which is not running. When the switch comes (I presume with an update and the script you mentioned in a previous post) I will see what the GUI looks like and if necessary will ask then. I will disable ssh - I haven’t got it configured anyway not even on my servers since our small business runs from home. I will need however the dhcp6 client since we buy quite a bit from china and if that’s disabled I often get “Server not available”.
Cheers
Uli
I have read these examples, tsu2, and I wondered whether just to delete e.g. the line <service name=“ssh”/> or whether I should leave the default and just close port22 (e.g. firewall-cmd --zone=public --remove-port=22/ssh)
Cheers
Uli