Firewall2 and zones on Leap 42.3

Running OpenSuSE Leap 42.3 on a generic computer. The question no doubt has been asked and answered but yet haven’t found the answer I need to make the right decision. My network is set generally as such: A AT&T router connecting to U-Verse Internet. The router connects to other computers and hubs. The concerned computer is connected to the router which this machine is also to be used to run a web server accessible to Internet users. The AT&T router also has a firewall. The concerned computer I also want to run Samba which should be accessible to other computers on the local net. The concerned computer only has one Network Interface card.

So, Should I have two network interface cards wher3e once connects to the router and to get to the Internet and the other for the LAN? Should the one network Interface be used for the LAN and accessible to the Router/ Internet? And should this one Network Interface card be defined as an external zone (main question)?

In the meantime, I will keep reading and researching…

The existing router firewall will protect from outside attacks by preventing inbound connections, but it is a good idea to configure a firewall on the host machine to prevent attacks that might arise from within the LAN. One scenario might be an attack from malicious code delivered to a host machine on the LAN via a web browser or email perhaps. This code might then scan the network and attack other vulnerable machines (including the web server).

The following guide was written for securing a web server on a server running openSUSE Leap 42.1, but is applicable for 42.3 as well…
It should give you a good idea of how the firewall works and how to configure it to protect a web server. (You’ll obviously need to configure the firewall to allow samba connections as well.)

And should this one Network Interface card be defined as an external zone (main question)?

With SuSEfirewall2, any interface not explicitly assigned to a zone will be treated as external by default, but yes, that is how a single interface machine needs to treated if you want to invoke firewall protection.

Excellant! Thank you. Was thinking that the NIC should be external. And you are right, other machines may try and send this one machine a virus or malware.