can anyone provide a clear overview of the move to firewalld?

after reading https://forums.opensuse.org/showthread.php/529287-Update-after-kernel-14-11-1-killed-firewall-in-YaST
im slightly confused and concerned about how the firewall is operating and configured on my system. The post claims TW has moved to firewalld but systemctl status firewalld.service shows the service as dead. systemctl status SuSEfirewall2.service suggests susefirewall still operating.

so how should users proceed? i assume set up the firewalld configs, enable and then disable susefirewall? are there any hints/tutorials on this for typical desktop system? should users wait for yast integration or further additions?

perhaps this should have been more clearly communication to TW users? thanks for any advice.

What I learned on my TW machines:

  • Susefirewall2 is still running

  • But the service tool in Yast is gone (irreversible, as it seems)

On the other hand:

  • firewalld is disabled (YaST: Service Manager)

  • But the Yast Firewall tool tries to contact firewalld…

So far so good. Kind of mix-up…

That’s deliberate AFAIU, so that SuSEfirewall2 users arn’t crippled suddenly, but the move was discussed in the mailing list (although I didn’t see any announcements), and I linked to a mailing list thread discussing it…
https://forums.opensuse.org/showthread.php/529169-yast2-firewall-launches-firewalld-GUI-since-most-recent-dup?p=2851862#post2851862

so how should users proceed? i assume set up the firewalld configs, enable and then disable susefirewall? are there any hints/tutorials on this for typical desktop system? should users wait for yast integration or further additions?

There is ‘susefirewall2-to-firewalld’ package containing a migration script that is supposed to help with this. I haven’t investigated further as I’m not using TW. Those comfortable with firewalld can configure via CLI or graphically using the ‘firewall-config’ utility.
https://software.opensuse.org/package/firewall-config?search_term=firewall-config

perhaps this should have been more clearly communication to TW users? thanks for any advice.

Yes, I agree that it could have been announced better.

I switched only 2 machines with TW yet, but what I found on both on activation of firewalld:

The network card was switched to “PUBLIC” as the default profile, which is OK, but:

This PUBLIC profile on both machines allowed by default:

  • IPv6DHCP
  • ssh

If I want something NOT allowed by default in public, it’s ssh (and the ipv6 stuff at least the same). That’s strange imho…

Yes, I’ve had some issues with the switch to firewalld. After reading some ML posts, I knew that the firewall-cmd command was what’s needed. Did half an hour of reading the man page and now firewalld is running in a config that has the same effect as my SuSEfilewall2 had. Main commands (run as root) that helped me:


firewall-cmd --get-services


This produces a list of know services. To open ports for a webserver, and make that persistent:


firewall-cmd --permanent --add-service=http --add-service=https

…switched another TW, again, ssh and ipv6dhcp were allowed in firewalld default “public” profile of the active network device (in this case: a wifi card…). Not nice.

I followed this post with great interest and spend a few hours reading the documentation (http://www.firewalld.org/documentation/) but I am still quite confused. A lot of those descriptions are quite general and may be OK for computer experts but not for someone like me who learned by doing (and with a lot of help from you guys in the forum here) to administrate a small network for our small business and private computer use. I found for example in /etc/firewalld the file lockdown-whitelist.xml. I was really looking for a blacklist and I don’t understand what is the whitelist file either - e.g. things like <selinux context=“system_u:system_r:virtd_t:s0-s0:c0.c1023”/>.
further it refers to a file /usr/bin/firewall-config which does not seem to exist in my system. however the cammand shows:

firewall-cmd --list-services
FirewallD is not running

[FONT=arial]So obviously this is still work in progress. Hopefully we will get more information how to use it in future. I for example am happy with the zone “public” on the ethernet cable but I would like to have “external” or similar on WiFi. Ethernet is our home/business network, WiFi could be any public area. Further how you can easily block e.g. IP addresses. From the concepts page ([/FONT]http://www.firewalld.org/documentation/concepts.html) I see that iptables is stil in the backend and I am happy to use commands like “-A INPUT -d 172.253.0.0/16 -j REJECT”
So I appreciate all the work which goes in but I hope for some more explanations (with examples) for non-eperts like me.
Cheers
Uli

You would need to install the firewall-config’ package first.

The firewalld documentation can be found here:

http://www.firewalld.org/documentation/

The graphical ‘firewall-config’ UI is useful for those average users who need to check or modify the firewall settings. It seems pretty intuitive to me. However, as ‘suse_rasputin’ mentioned ‘ssh’ is allowed by default for public (deafult zone) and the external zone (if chosen). I think the rationale behind this might be to prevent against accidental lockout from a remote server situation which is likely being administrated via ssh, but I would expect most experienced admins not to get caught out like this.

I’m sure that a decision was made to allow those services even on a public interface by default is because if you apply a default configuration to a remote machine you wouldn’t want to experience a nasty surprise blocking your networking connection without any way to recover.

You can certainly close those ports if you wish to.

The firewalld documentation lists each recommended default zone configuration at the following link

http://www.firewalld.org/documentation/zone/examples.html

TSU

[FONT=arial]You need to enable and start the firewall with

sudo systemctl enable firewalld
sudo systemctl start firewalld

[/FONT]

Yes, that’s my thinking for the rationale behind it as well.

Thanks, deano_ferrari, at the moment there is no GUI - I have installed this firewall-config package as you wrote but my system seems to be still on susfirewall2. When I open the GUI in yast it wants to connect to firewalld which is not running. When the switch comes (I presume with an update and the script you mentioned in a previous post) I will see what the GUI looks like and if necessary will ask then. I will disable ssh - I haven’t got it configured anyway not even on my servers since our small business runs from home. I will need however the dhcp6 client since we buy quite a bit from china and if that’s disabled I often get “Server not available”.
Cheers
Uli

You can stop SuSEfirewall2 with

sudo systemctl stop SuSEfirewall2

and disable it (so that it doesn’t start again at boot) with

sudo systemctl disable SuSEfirewall2

When I open the GUI in yast it wants to connect to firewalld which is not running…

Enable and start firewalld.service with ‘systemctl’ as I already explained, then you can use the graphical utility to configure as you like.

I have read these examples, tsu2, and I wondered whether just to delete e.g. the line <service name=“ssh”/> or whether I should leave the default and just close port22 (e.g. firewall-cmd --zone=public --remove-port=22/ssh)
Cheers
Uli

If firewalld is running on your system, you could do something like this via CLI…

sudo firewall-cmd --zone=public --remove-service=ssh --permanent

or just do it using firewall-config.

I tried that and got:

**linux-top:/usr/bin #** firewall-cmd --zone=public --remove-service=ssh --permanent
success
**linux-top:/usr/bin #** firewall-cmd --list-services
ssh dhcpv6-client
**linux-top:/usr/bin #**

As you see the service ssh is still listed even though the removing claimed success

Restart the firewall

sudo systemctl restart firewalld

then check again.

Yes the GUI seems very good - I just removed the tick at ssh and now it looks like:

**linux-top:/usr/bin #** firewall-cmd --list-services
dhcpv6-client
**linux-top:/usr/bin #**

Thanks a lot deano-ferrari and others
Cheers
Uli

If you use the YaST tool: HEADS UP!

It is by default set to “Configuration: Runtime”

Choose “Permanent” from the drop down menu, otherwise after a reboot you are back to “default”…

And more confusing: I disabled both ssh and dhcpv6-client in the YaST tool as permanent and did (after a reboot)

 sudo firewall-cmd --list-services  
ssh dhcpv6-client 

So apparently the firewall does what it wants, re turning on/off services…

Still: It is absolutely inappropriate to expose ssh by default in the public profile