I’m using a openSUSE13.1 (bottle) in a VM with 2 Nics(bridged) for running my e-mailserver. One to my internal LAN and one to I-net in the VM(as well in the 13.1 host). Work like a charm.
I have run web-mail to my VM (served me well, both internal and external) but decided to educate myself and start using imap testing Evolution, Kmail and Thunderbird as clients.
1, made e-mailserver listening on 0.0.0.0:143
2, made e-mailserver listening on 0.0.0.0:993
Using Yast2 Firewall module and added above on ext interface.
3, SMTP was already listening on port 25 (UDP)?
4, HTTPS was already listening (on port 443 TCP)? I thought.
25 smtp- success
80 htttp -success
143 imap -success
443 https -no connection could be made because the target machine actively refused it
993 imaps not mentioned at all in the test
Oh it works fine using port:143 to connect from I-net but what about 993? Why is not port:443 open?
On 09/13/2014 04:36 AM, jonte1 wrote:
>
> 443 https -no connection could be made because the target machine
> actively refused it
“active” refusal usually means that the firewall is NOT blocking, but that
the service which should be listening there is not. This is evident with
a ‘Connection Refused’ message sent back to the client attempting to
connect, vs. a long wait and a timeout with no explicit “go away” message.
> 993 imaps not mentioned at all in the test
If it doesn’t test by default, then that isn’t too surprising, right?
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
I have tried e-mail clients on port 143 from I-net. Work a-ok. On a more or less fresh installed 13.1 laptop and a tablet tested port 993, open in FW, tested etc ie IP masquerading and no success. So default testing External tool… Tested against the tool to open different ports and it seems ok vs openSUSE FW except above.
I cant see this(port 81 is open) in YaST2/Firewall as well. Feels a little scary that ports can be open from other services without been seen in YaST2 config tool. Please understand me right, I’m not complaining or wining but try to learn. Is there any other command/tool that shows all info from Firewall2?
used nmap:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-09-14 09:03 CEST
Nmap scan report for jodo.nu (83.227.24.218)
Host is up (0.0010s latency).
rDNS record for 83.227.24.218: c-da18e353.1644-1-64736c10.cust.bredbandsbolaget.se
Not shown: 992 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
143/tcp open imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp open imaps
Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds
I know that I config my mailserver to use port 81(80 is occupied by the web server) for the web mail interface.
I cant see this(port 81 is open) in YaST2/Firewall as well. Feels a little scary that ports can be open from other services without been seen in YaST2 config tool. Please understand me right, I’m not complaining or wining but try to learn.
Is there any other single place/file for all info from Firewall2 in openSUSE?
tried nmap:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-09-14 09:03 CEST
Nmap scan report for . (...)
Host is up (0.0010s latency).
rDNS record for ******…
Not shown: 992 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
143/tcp open imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp open imaps
Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds
If you have HTTPS server chosen in “Allowed service” it would also open 443.
The Firewall module in YAST is a bit… lacking. If you run a production system, I would opt to use something like fwbuilder and manually build the iptables file. It’s trickier but it also allows more fine grained control over everything.
On 09/14/2014 12:56 AM, jonte1 wrote:
>
> I have read and tested some more, -what I can understand there is not a
> a text file where I can see openSUSE Firewall2 config.
That is not correct. The configuration, used by Yast as well, is stored
in /etc/sysconfig/SuSEfirewall2 and can be modified to make the same
changes that Yast makes. There are supporting files, of course, such as
those in the /etc/sysconfig/SuSEfirewall2.d/ directory, and those
typically define things like which service names (‘HTTP Server’) match up
with which ports (TCP 80), so you can customize that as well.
In any case, you can use Yast to open any arbitrary port under Yats:
Security: Firewall. Once in the main firewall component of Yast, you can
go to Allowed Services to choose services to allow, and you can go to
Advanced to list individual ports in a way that is fully supported by
Yast. This is also where you can control which interfaces are considered
Internal or External, or part of other custom zones that you define.
> Something else hits me that I have told my mailserver to use port 81 for
> the web interface (port 80 is occupied by the regular web server).
>
> [image: http://www.jodo.nu/pic/pic2/snapshot51.jpeg]
>
> I cant see this(port 81 is open) in YaST2/Firewall as well. Feels a
> little scary that ports can be open from other services without been
> seen in YaST2 config tool. Please understand me right, I’m not
> complaining or wining but try to learn. Is there any other command/tool
> that shows all info from Firewall2?
If you want to see how the firewall configuration is currently enabled at
runtime, you can always see that with SUSE Linux as you can with other
distros using the iptables commands. If you are familiar with how the
actual ‘iptables’ commands work to add/remove rules, you can also use
iptables-save to see how all of the current settings are implemented which
can be pretty useful. Keep in mind this shows runtime, not configuration
saved to disk, information, so if you setup a firewall using Yast and then
run iptables commands to open a couple of extra ports, the iptables and
iptables-save commands will reflect those changes, even though a restart
of the firewall or a restart of the computer will lose those changes (they
are not persistent changes, as is the norm with iptables). Both of these
commands are under the /usr/sbin directory.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
I have been wonder myself on port 443 behaviour. I deleted the HPPTS and even 443 in advanced reference in YaST2/firewall. Nmap gave:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-09-14 12:48 CEST
Nmap scan report for ***.** (***.***.***.***)
Host is up (0.00098s latency).
rDNS record for ***.***.***.***.....
Not shown: 993 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
143/tcp open imap
465/tcp closed smtps
587/tcp closed submission
993/tcp open imaps
Nmap done: 1 IP address (1 host up) scanned in 5.98 seconds
My web e-mail was working a-ok after that. I think it was stated from my e-mail server that the port needed to be open but apparently not.
Good that I have a router that allows multiply connections to I-net from home which make it easy to test outside my main openSUSE server.
If I have understand it right the Firewall2 use some kind of dynamic getting info from several sources and build the iptables in real time based on that info.
Upps! I didn’t see your post until I posted mine. Thanks anyway and it gave me more info in my learning of something important. It’s not a pure production environment (50/50 home/work).
Hmm… I can understand and agree upon apply rules to iptables without restart the service. But what about cant save changes to disk and have them there on next reboot. Document everything in a personal file/paper? Not be able to see it in YaST/YaST2?
I did the mistake to drill in to far of Firewall2 in openSUSE.
Is iptables a part of systemd? Then I can understand the lack of functions/manageable by YaST. Waste a lot of time on something I don’t understand and have questioned for a while.
On 09/14/2014 07:36 AM, jonte1 wrote:
>
> Hmm… I can understand and agree upon apply rules to iptables without
> restart the service. But what about cant save changes to disk and have
Let me try to provide a couple of statements that may help:
NetFilter, the firewall built into the Linux kernel which is managed by
the iptables commands, is always in-memory only. Its configuration can be
saved to disk, and with most distros there is some kind of facility to do
this, but there is nothing in NetFilter, aka the Linux firewall, to save
its configuration between reboots by default.
iptables is merely the command used to configure netfilter; nothing more,
nothing less. I suppose as part of that the ‘iptables’ command also shows
you statistics of currently-enabled rules. iptables, as it is just a
command you can call, also has no facility to store data between restarts
on its own.
SUSEfirewall2 is a service configured by Yast, with configuration data
stored in /etc/sysconfig/SuSEfirewall2 (and
/etc/sysconfig/SuSEfirewall2.d) which mnages the firewall settings in a
way that doesn’t require becoming intimately familiar with the iptables
command or NetFilter specifically. It is made to persist changes across
reboots, or even simple firewall restarts. It can be restarted as ‘root’
using the command rcSuSEfirewall2 restart which is a symlink to
/etc/init.d/SuSEfirewall2_setup (not to be confused with
/etc/sysconfig/SuSEfirewall2_init), at least before openSUSE 13.1. With
13.1 things have likely been integrated a bit more with systemd, though I
am not as familiar with those changes.
> them there on next reboot. Document everything in a personal file/paper?
> Not be able to see it in YaST/YaST2?
If you want things to persist across reboots your best bet is to configure
them in Yast. Setup which services to be allowed (HTTP, HTTPS, SMTP,
IMAP) and if that is not sufficient you can modify the service files
(/etc/sysconfig/SuSEfirewall2.d/*) or you can use the Advanced
configuration to allow ports explicitly. Anything you do in Yast can be
applied immediately and should persist across reboots, assuming in Yast
you have your firewall configured to start at bootup.
> Is iptables a part of systemd? Then I can understand the lack of
> functions/manageable by YaST. Waste a lot of time on something I don’t
> understand and have questioned for a while.
I do not believe integration with systemd is related to the ability or
inability to configure the firewall. If you are still having difficulty
opening ports then try the steps mentioned earlier to add the ports
explicitly in the Advanced section of Yast. Once done the ports should be
open, at least on the host itself; this does not mean that routers or
other devices between your clients and this server will necessarily allow
the traffic, of course, as Yast does not control systems other than the
SUSE box on which it is installed.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
Well… ~Use YaST to make sure to that the config is there after restart/reboot. Hmmrrf… Doesn’t follow my own experience and answers in the tread.
I can point out a single source, -sys…d For me have digging in Firewall2 and its like to cast a dice and hope for the best. The control mechanism is suited for rocket scientist in CLI.
My own op follows/show the pattern of sys…d. Final I have something that I can directly point out after testing.
After a week whiteout a post(from me) in the forum/tread (know a lot more now)as fare I could understand Firewall was easy to set up in openSUSE before systemd and could be confirm/seen in a easy way in openSUSE.
of something important. It’s not a pure production environment (50/50 home/work).