Firewall question

Hi all,

OpenSUSE Tumbleweed install, 64-bit, latest snapshot

Unfortunately I come from Ubuntu/Debian world (~8 yrs now), where I understand the simple settings and setup of a desktop computer’s firewall using UFW/GUFW. But, the attraction of a rolling release is too strong, and so I chosen to jump in to OpenSUSE. I spent 2-3 hours last night, and a further 2 hours this morning, reading as much as I could (via Google and via the OpenSUSE forum) about Yast2, iptables, and how to configure the Yast2 firewall through opening Yast2. I have ~20 things saved from doing a Google and OpenSUSE forum search on basic firewall setup, and dam# my stupid brain, I am even more confused (sorry) than when I started the Tumbleweed install.

I’ve a simple home network, a combo router/modem provided by the ISP carrier (whose firewall is set to Medium, statefully blocking all incoming, but allowing all outgoing). It has 4 ethernet ports, and on one of those ethernet ports is plugged in a simple 6 port switch. The OpenSUSE machine is plugged into this switch.

In YAST2, Firewall setting shows for “interfaces”:
DEVICE (nothing) INTERFACE or STRING: abc4t1 CONFIGURED IN: No zone assigned

1st question: should a ‘device’ be showing (from my motherboard’s included ethernet, or does this not matter)?

2nd question: what Zone is typically set for a setup like this? Is it ‘external’ or ‘internal’??? I just want simple, further add’l protection for my computer behind the router/combo’s already-running NAT firewall. Trying to find the zone by reading the /usr/share/doc/packages/SuSEfirewall is wholly confusing, as is trying to make sense of the numerous supposed help tutorials put online in OpenSUSE docs. Those docs say to choose a “zone”, but then actually don’t tell you how that choosing applies to different setups (this is where OpenSUSE is making it incredibly hard to attract new users, imho, and hence my asking below about a detailed noob writeups for things like the firewall)

3rd question: after finding which ‘zone’ is best, is there any recommended best settings in the “ALLOWED SERVICES” tab of Yast2? For example, in the Ubuntu/Debian world, UFW/GUFW makes it clear with numerous, detailed examples that in a home setting like mine, there really is no reason to have ‘rsync, rdp, rpc, telnet, ftp and ssh’ running. So it is just a simple matter of clicking those services in GUFW and having them not run.

4th question: after this new Tumbleweed install, when I look in Yast2 and then Firewall, it says the Firewall service (under the Startup tab) is currently set to “Enable Firewall Automatic Starting”, and that its current status is: Firewall is running. But when I go to the root terminal, and type in ‘systemd-analyze critical-chain’, it does not show the firewall has been started as the system boots up. So is it really running already as Yast2 says, or should I believe what the root terminal is showing me.

Thank you for any help here. Again, apologies for asking probably totally noobie questions. Like I said, I am trying really hard here. (plz, I ask kindly that you do not lecture me----I am trying hard here to understand OpenSUSE and what I am supposed to be doing…this is really a difficult learning curve with some stuff :()

On further forum research, I just stumbled across a thread by one of the administrators saying to enter this in the root terminal:

/sbin/rcSuSEfirewall2 status

I got back a response with a green dot that says:

SuSEfirewall2.service - SuSEfirewall2 phase 2
Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled)
Active: ACTIVE (exited) 2hr 7 min ago




systemd[1]: Starting SuSEfirewall2 phase2…
SuSEfirewall2[1428]: using default zone ‘ext’ for interface abc
**
systemd[1]: Started SuSEfirewall2 phase 2.

*So, in response to question 4 (and indirectly question 2), does this mean the firewall “IS” running and active? As compared to what the root terminal command ‘systemd-analyze critical-chain’ showed (where no firewall startup was present)? And if it is started up & active, that the defualt zone is ‘EXTERNAL’? If so, why can’t I chose (in Yast2 Firewall) to not have ssh, telnet, rsync, rdp or rpc and ftp to not run as a service? Or do i have to explicitly go into custom rules to set those up (with their ports and rules) instead of just clicking on that service, like in Ubuntu/Debian, to have them not active and not run???

I do not have answers to all your questions (I have no doubt others will come forward) simply because I do not use the firewall in my systems. Like you, my router blocks all incoming traffic and that satisfies me. IMHO. it could only be that you want to protect the system against other systems in your LAN that would make you want to use the internal firewall.

Also (question #4) you will not be able to see the firewall running as a process in the system. The firewall is a set of IP tables that is used by the kernel. They are internal to the kernel and can be manipulated (and listed) with the iptables command that interfaces to the kernel. SuSEfirewall2 is only a configuration (can be set up using YaST as you found out) that is used at each boot to create the wanted iptables in the Kernel. It thus only runs (very short) at boot (or when you change the configuration).

…or use the systemctl command

systemctl status SuSEfirewall2

The openSUSE documentation will probably answer your questions…
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html#sec.security.firewall.fw

I see you have a few new questions now, but first something to help you posting computer text in these forums:

Please in the future use CODE tags around copied/pasted computer text in a post. It is the # button in the tool bar of the post editor. When applicable copy/paste complete, that is including the prompt, the command, the output and the next prompt.

When I am correct, when you have the firewall active and you then use YaST > System > Services Manager and start e.g. the SSH server, YaST will be so kind to open the firewall for SSH. YaST is a management tool that tries to help you specially in those cases where you might forget things.

On 12/07/2016 02:16 AM, belham wrote:
>
> OpenSUSE Tumbleweed install, 64-bit, latest snapshot

Good information, thank-you.

> Unfortunately I come from Ubuntu/Debian world (~8 yrs now), where I
> understand the simple settings and setup of a desktop computer’s
> firewall using UFW/GUFW. But, the attraction of a rolling release is
> too strong, and so I chosen to jump in to OpenSUSE. I spent 2-3
> hours last night, and a further 2 hours this morning, reading as much as
> I could (via Google and via the OpenSUSE forum) about Yast2, iptables,
> and how to configure the Yast2 firewall through opening Yast2. I have
> ~20 things saved from doing a Google and OpenSUSE forum search on basic
> firewall setup, and dam# my stupid brain, I am even more confused
> (sorry) than when I started the Tumbleweed install.

I appreciate the preamble; it is useful to know from where one comes to
help them know how best to find their destination.

> I’ve a simple home network, a combo router/modem provided by the ISP
> carrier (whose firewall is set to Medium, statefully blocking all
> incoming, but allowing all outgoing). It has 4 ethernet ports, and on
> one of those ethernet ports is plugged in a simple 6 port switch. The
> OpenSUSE machine is plugged into this switch.
>
> In YAST2, Firewall setting shows for “interfaces”:
> DEVICE (nothing) INTERFACE or STRING: abc4t1 CONFIGURED IN: No zone
> assigned
>
> 1st_question: should a ‘device’ be showing (from my motherboard’s
> included ethernet, or does this not matter)?

I have a bridge device that also shows nothing in the first column; if
things work networking-wise, I would not worry about it. That a physical
device does not show up seems odd, but maybe that’s a cosmetic bug; feel
free to report if you think so via https://bugzilla.opensuse.org

> 2nd_question: what Zone is typically set for a setup like this? Is
> it ‘external’ or ‘internal’??? I just want simple, further add’l
> protection for my computer behind the router/combo’s already-running NAT
> firewall. Trying to find the zone by reading the
> /usr/share/doc/packages/SuSEfirewall is wholly confusing, as is trying
> to make sense of the numerous supposed help tutorials put online in
> OpenSUSE docs. Those docs say to choose a “zone”, but then actually
> don’t tell you how that choosing applies to different setups (this is
> where OpenSUSE is making it incredibly hard to attract new users, imho,
> and hence my asking below about a detailed noob writeups for things like
> the firewall)

Most of the time I think no zone is assigned, and per a previous thread
earlier this year, that means that the external zone is applied. As its
name may imply, ‘external’ means a grouping of rules that should apply to
things that are external, meaning non-DMZ and non-internal, so probably
less-trusted sources. Unless you know otherwise, stick with ‘external’
(or no assignment) for security, lest one day you decide to trust
‘internal’ more and inadvertently open your box to the world (as much as
you can in your networking environment, anyway).

> 3rd_question: after finding which ‘zone’ is best, is there any
> recommended best settings in the “ALLOWED SERVICES” tab of Yast2?
> For example, in the Ubuntu/Debian world, UFW/GUFW makes it clear with
> numerous, detailed examples that in a home setting like mine, there
> really is no reason to have ‘rsync, rdp, rpc, telnet, ftp and ssh’
> running. So it is just a simple matter of clicking those services in
> GUFW and having them not run.

Principles of “Least Privilege” state to provide as little as possible;
install as few programs, run as few programs from those installed, open as
few ports, etc. By default when you add an ‘Allowed Service’ you are
allowing unsolicited connections from the zone (external, internal, or
DMZ) and that should be abnormal; on your laptop, you probably want
nothing open; on a server, you probably want just ports relevant to
desired services open (DNS, SSH, WWW, depending on the box’s purpose).

The default is to allow nothing, because that’s secure. Also, as a side
note, just because you run a service does not mean the firewall will allow
access to it, and just because you open a socket in the firewall does not
mean a service can be reached if it is not also running. None of the
services you mentioned are installed by default (except for SSH), and none
are run by default because not-running services, are hard to compromise,
not-accessible services are hard to compromise, and not-installed services
are impossible to compromise.

> 4th_question: after this new Tumbleweed install, when I look in
> Yast2 and then Firewall, it says the Firewall service (under the Startup
> tab) is currently set to “Enable Firewall Automatic Starting”, and that
> its current status is: Firewall is running. But when I go to the
> root terminal, and type in ‘systemd-analyze critical-chain’, it does
> not show the firewall has been started as the system boots up. So is it
> really running already as Yast2 says, or should I believe what the root
> terminal is showing me.

You are asking the system specifically for things that impact boot time;
if you want to see currently-running services, there are ways to do that.


me@mybox:~/Desktop> sudo systemctl status SuSEfirewall2
SuSEfirewall2.service - SuSEfirewall2 phase 2
Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
Active: active (exited) since Tue 2016-11-29 12:44:48 MST; 1 weeks 0
days ago
Process: 4522 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited,
status=0/SUCCESS)
Main PID: 4522 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/SuSEfirewall2.service

Nov 29 12:44:48 mybox systemd[1]: Starting SuSEfirewall2 phase 2...
Nov 29 12:44:48 mybox.domain.tld systemd[1]: Started SuSEfirewall2 phase 2.

Notice that it shows ‘active’ in there, and probably the time I rebooted
last for a kernel patch.

Also, since we’re working with NetFilter (firewall in the kernel) as
configured by iptables, you can use the iptables commands common to
basically every Linux distro out there (except perhaps Ubuntu… I don’t
know) to see what rules are currently applied:


sudo /usr/sbin/iptables-save
sudo /usr/sbin/iptables -nvL

> Thank you for any help here. Again, apologies for asking probably
> totally noobie questions. Like I said, I am trying really hard here.
> (plz, I ask kindly that you do not lecture me----I am trying hard here
> to understand OpenSUSE and what I am supposed to be doing…this is
> really a difficult learning curve with some stuff :()

You’re clearly trying; thank-you for making an effort, and for using the
forums. Keep up the questions and I’m sure we’ll find answers (and maybe
even some valuable ones).


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

IMO everything in the above post by ab is correct, including what you have when no devices or interfaces are listed in your SuSEfirewall zones.

Only additional comments…

The command you found executes the SUSEfirewall binary which in turn manages standard Linux IP Tables.
It was probably the preferred command long ago in SysVinit, but since openSUSE adopted systemd, you’re seeing systemd output. Although for the time being your command should work, moving forward you should use the command “systemctl” instead, and if you learn this it can also be applied to every other systemd service or app.

systemctl status SuSEfirewall2

Although by default firewall rules are configured with all interfaces in the external zone and this is probably the better configuration even in a protected LAN, you can specify an interface to be in the Internal Zone, which will automatically open common ports used for LAN services, particularly if this machine is a Server and not just a Client in the network. The external zone will automatically block all incoming traffic initiated by someone else while allowing any return traffic initiated by your machine which is a generally good place to start.

I haven’t looked specifically at how the Firewall Service is read during startup, but if not its status is probably easily explained… Unlike some Services which must be constantly active to be functional(eg. a SAMBA server service), the SUSE firewall is not one of these kinds of Services. Although its status may often be reported “Active” or “running” it’s actually better described as “Effective” when it’s “On.” IP tables (and SUSE firewall in general) is a static and passive window screen that blocks or allows and does not <actively> do anything. So, it’s not really something that has to be “started up” or “actively running” or that it takes any time for processes to be instantiated during bootup… It’s just… something packets are directed through or not.

HTH,
TSU