Firewall allowed services question

I have read a lot about the SuSE firewall, but I have a lingering question.

I have one ethernet card and it is assigned as “external zone”. I have one service allowed for the external zone: SSH.

My question is…if I only have SSH allowed why does my webrowser still access the internet?

Is all internet browsing allowed by the firewall by default? Are there other services that the firewall allows that are not listed in Yast?

If I wanted to configure the firewall to disable all internet access…or even all network access of any kind…how would I do this?


The firewall does not normal block outgoing traffic (like your browser connecting to a http server on the Internet). It does block incoming conection requests (like someone on the Internet trying to SSH to your system, which you just allowed as you said).

I would do this with a special hardware firewall (will be installed at /dev/ethernet/cable).


That’ll do it. lol!

Ok. To selectively block outgoing traffic I suppose I would have to do something fancy with iptables.

I hope you understand that The openSUSE Firewall is using iptables. YaST > Security > Firewall is GUI to a file where a configuration is stored. That configuration is used on every boot to generate iptables.

As I see it the Firewall is there to block/allow traffic from outside to enter your system. The outside can be split up in External, Internal and Demilitarised Zones when you have more then one NIC. So I doubt if there is a place in YaST > Security > Firewall to accomodate what you want. But as I never tried do do this, I may be wrong.

You could look at /etc/sysconfig/SuSEfirewall2. It contains some documentation and refers to other files (also with documentation) on your system.

As you appently want to allow SSH from outside the solution provided by Akoellh might not be what you are looking for, But you could deinstall browsers, ntp, … all sorts of client software. Pfff! When you do not need a DE on the system (I do not know what you are intending to do with it), you could start making it a text only, will remove a lot of TCP/IP clients.


I dont get it. If you do not want any network just stop the network. You can temporary do that (until reboot) with :
rcnetwork stop
This will stop any network activity until reboot.
If you want to always disable networking of any kind go to yast System Services and deselect network in your curent runlevels. That is all you need to do.

Ok. I could shut down services.
My question was about my trying to understanding the firewall behaviour. I thought I had observed that local Samba will not work unless the firewall allows it to access the network. IOW the firewall blocks both inbound and outbound applications/services sometimes. This observation led me to assume the firewall blocks anything in either direction unless it is listed as “allowed”.

My assumption isn’t right. Not the first time!

So I am now wondering what the boundaries of the firewall are with regard to limiting outgoing stuff.

The background is that I am experimenting with SSH across the Atlantic to a SuSE PC on my brother’s LAN. He runs Windows machines on the same LAN and he is sort of paranoid about virus’ and such and is a little weary of my experiments with linux. He had also heard that linux is an open route to trojans because it doesn’t use anti-virus and firewalls. I happen to think his fears are misplaced, but as an easy gesture I thought I’d apply the SuSE firewall to block any possibility of an app. browsing his LAN.

This is why I wanted to know what local applications the firewall allows by default.

By “firewall” I mean the firewall GUI in Yast2.

As for the boundaries well,

open all => block all

So pretty wide…

But tbh you seem to be tackling this wrong

Linux	| shared lan <->Windows

*Surely this is better*

Linux	  No shared lan	|Windows

As for doing that on Windows wouldn’t have a clue but on linux as mentioned the firewall is just a front end to iptables and you have a wealth of tools. From matching by port/ip/uid/state etc etc…

As for your brothers concern i would be asking for proof. But to me you’re asking how do I secure the gate from the outside the answer is you cant. What if hypothetical you’re owned which if I was your brother I would be more concerned with, as you have a ssh server running. What stops them bringing the wall down, and then lets say you get some rules on the network… The new questions become how do I stop mac spoofing, ip changing etc.etc… on the windows firewall/network.

As for you brothers unfounded fears there is more problems with trojans etc and MS software due to the many people running there OS with elevated rights due to the inconvenience of having an admin account separate. Where as with linux this is practically a God spoken rule.

I would ask him how does he guarantee that a file isn’t executed on his systems as on Linux this involves several tricks, then I would ask how to automate an install of an app on a linux system, with root rights. When he discovers this isn’t quite as easy as spoken maybe the argument will have to change.

As for adding rules etc iptables -l will show all the rules, and some basic understanding of them will help but for one offs whilst experimenting you can add them to the chains, but they won’t last a reboot. To make them last a reboot will involve using the custom bit of the firewall, read the conf file in SuseFirewall it is well documented. But this in my eyes is the wrong way to do this, shut the gate from the inside if your brother is concerned(And I suspect this will be easier with iptables than anything like an off the shelf firewall for MS.) But should you go this way you’ll become quite intimate with all the networking protocols, a fair few few use dynamic ports for outgoing, you and netstat will become best of friends.

should of been iptables -L

Also as for your brothers fears how does he surf then many servers are run on Linux, I guess he doesn’t use Google then. :wink:

FeatherMonkey wrote:
> Edit
> should of been iptables -L
> Also as for your brothers fears how does he surf then many servers are
> run on Linux, I guess he doesn’t use Google then. :wink:
Or Bing, MS’s own search engine…


“Sunrise 7:56am (EEST), sunset 6:15pm (EEST) at Espoo, Finland (10:18
hours daylight)”
Linux #1 SMP 2009-08-14 01:48:11 +0200 x86_64
5:07pm up 21 days 23:47, 15 users, load average: 0.01, 0.04, 0.05