I can't get SuSEfirewall2-custom to load rules during startup/boot

I’m trying to get some custom firewall rules to load during startup and have tried the following:

prrd-fossgis:~ # grep FW_CUSTOMRULES /etc/sysconfig/SuSEfirewall2
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

And then in /etc/sysconfig/scripts/SuSEfirewall2-custom (fw_custom_after_finished() section) I have:

fw_custom_after_finished() {
    # these are the rules to be loaded after the firewall is fully configured
    iptables -I INPUT -d 192.168.16.18
    iptables -I OUTPUT -s 192.168.16.18
    true
}

Those rules don’t get loaded on boot, and I can’t see them in the output of either iptables -L INPUT or iptables -L OUTPUT until I manually load them.

Is there something else I need to do to get those rules loaded on startup?
Those specific rules are required for package “munin” to record TCP/UDP traffic and so I need them to be loaded at boot/startup.

System info:
openSUSE 12.2 w/ KDE 4.8.5, 64bit.

Thanks for any help!

Specify the absolute path for things in scripts.

/usr/sbin/iptables -I INPUT -d 192.168.16.18
/usr/sbin/iptables -I OUTPUT -s 192.168.16.18

No, I haven’t tested this but it’s my guess. If that doesn’t work, add
debugging lines to ensure this is actually running:

echo date >> /tmp/iptables-custom.txt

Good luck.

I tried the full paths but they still never got started.
So I added the debug line and didn’t find a /tmp/iptables-custom.txt after this last reboot so it’s not even running.

That file is also marked as executable. I never enabled that flag, but out of all the rules in the scripts folder, it’s the only one that’s an executable:

:~ # ls -lh /etc/sysconfig/scripts/SuSEfirewall2-*
-rw-r--r-- 1 root root 2.6K Sep 11 06:09 /etc/sysconfig/scripts/SuSEfirewall2-batch
-rwxr-xr-x 1 root root 3.3K Dec 19 19:55 /etc/sysconfig/scripts/SuSEfirewall2-custom
-rw-r--r-- 1 root root 3.0K Sep 11 06:09 /etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast
-rw-r--r-- 1 root root 1.4K Sep 11 06:09 /etc/sysconfig/scripts/SuSEfirewall2-open
-rw-r--r-- 1 root root 5.0K Sep 11 06:09 /etc/sysconfig/scripts/SuSEfirewall2-qdisc
-rw-r--r-- 1 root root 4.4K Sep 11 06:09 /etc/sysconfig/scripts/SuSEfirewall2-rpcinfo
-rw-r--r-- 1 root root 2.3K Sep 11 06:09 /etc/sysconfig/scripts/SuSEfirewall2-showlog

Is service SuSEfirewall2_setup enabled?

Yes, it looks like the setup part of the firewall is enabled. I think it’s like that by default.

prrdmgis@prrd-fossgis:~> **systemctl status SuSEfirewall2_setup.service **
SuSEfirewall2_setup.service - LSB: SuSEfirewall2 phase 2
          Loaded: loaded (/etc/init.d/SuSEfirewall2_setup)
          Active: active (exited) since Wed, 19 Dec 2012 12:18:06 -0700; 20h ago
          CGroup: name=systemd:/system/SuSEfirewall2_setup.service

prrdmgis@prrd-fossgis:~> **systemd-analyze blame**
...
   298ms cpufreq.service
   298ms fbset.service
   296ms lm_sensors.service
   284ms boot.mount
   276ms systemd-logind.service
   194ms xdm.service
**   185ms SuSEfirewall2_setup.service**
   176ms systemd-readahead-replay.service
   142ms upower.service
   126ms systemd-readahead-collect.service
...

Is this possibly a bug that I need to file?

I think this is a bug, yes. I tried adding your lines to my custom file
and it did not add them. My guess is that this is because of our use of
systemd, where before that things worked differently under the “old way”
of doing things… just a guess though. If somebody has a non-systemd
system (sys5) environment in which to do the same test that would be helpful.

Good luck.

I briefly tested on 12.2 with all current updates applied and custom scripts do get called:

bor@opensuse:~> cat /tmp/fw_custom.log
fw_custom_after_finished: Thu Dec 20 21:13:39 MSK 2012
fw_custom_after_finished: Thu Dec 20 21:16:07 MSK 2012
fw_custom_after_finished: Thu Dec 20 21:16:18 MSK 2012
bor@opensuse:~> 

Even twice - as part of both _init and _setup.

So it does not look like some general bug …

P.S. and yes, I do use systemd :slight_smile:

On 2012-12-20 17:20, ab wrote:
> If somebody has a non-systemd
> system (sys5) environment in which to do the same test that would be helpful.

You can try that at least in 12.1 choosing what to boot.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

On 2012-12-20 17:20, ab wrote:
> I think this is a bug, yes. I tried adding your lines to my custom file
> and it did not add them. My guess is that this is because of our use of
> systemd, where before that things worked differently under the “old way”
> of doing things… just a guess though. If somebody has a non-systemd
> system (sys5) environment in which to do the same test that would be helpful.

In my 11.4, the function “fw_custom_after_finished()” does not exist.
You can not insert new functions, they will not run. 12.1 has the
function call.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

I have a desktop and a laptop at home with fresh 12.2 x64 installations. Neither will load custom firewall rules.

I then tried on this laptop with a fresh install of 12.2 x64 and same thing, no custom firewall rules will load during boot.

I’ll take some time later today to get a bug report filed, i think this needs one to help troubleshoot further.

Well that’s interesting; the fw_custom_after_finished (assuming that’s
where you put things, not just un-random text in your log file) is also
where I put my attempts at doing something. I did not try the init
change, and I did not try rebooting… just restarted the “firewall” via
the scripts. I confirmed things actually changed between running, ‘stop’,
and ‘start’ so I’m pretty sure my test was valid. Anything else obvious I
could have done besides reboot?

Good luck.

I got a little further.

In the file /sbin/SuSEfirewall2 - I also had to define the variable FW_CUSTOMRULES:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
It was actually blank with the value FW_CUSTOMRULES="".

I should also mention that that FW_CUSTOMRULES value was initially set with the YaST sysconfig tool - so it doesn’t update the variable in the /sbin/SuSEfirewall2 file, only the /etc/sysconfig/SuSEfirewall2 file gets changed.

Once I changed it there, there are two entries in the debug file (which also exists now!):

**cat /tmp/iptables-custom.txt**
*Thu Dec 20 11:20:45 MST 2012
Thu Dec 20 11:20:51 MST 2012*

But the rules don’t actually get loaded still… regardless of what is seen in /var/log/messages:

Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_init[669]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_init[669]: last message repeated 2 times
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_init[669]: ..done
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_setup[855]: Loading firewall rules WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_setup[855]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_setup[855]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_setup[855]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:20:50 prrd-fossgis SuSEfirewall2_setup[855]: ..done
Dec 20 11:20:51 prrd-fossgis SuSEfirewall2: Setting up rules from** /etc/sysconfig/SuSEfirewall2** ...
Dec 20 11:20:51 prrd-fossgis SuSEfirewall2: Firewall customary rules loaded from** /etc/sysconfig/scripts/SuSEfirewall2-custom**
Dec 20 11:20:51 prrd-fossgis SuSEfirewall2: **Firewall rules successfully set**

Even when I restart/stop/start the firewall no changes for custom rules are happening. Here is the result from a rcSuSEfirewall2 {restart|stop|start}:

Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Firewall rules unloaded.
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5226]: Unloading firewall rules..done
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Firewall customary **rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom**
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5253]: Loading firewall rules WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5253]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5253]: last message repeated 2 times
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Firewall rules successfully set
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5253]: ..done
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Firewall rules unloaded.
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5365]: Unloading firewall rules..done
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Firewall customary **rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom**
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5397]: Loading firewall rules WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5397]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5397]: last message repeated 2 times
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2: Firewall rules successfully set
Dec 20 11:36:05 prrd-fossgis SuSEfirewall2_setup[5397]: ..done

Here is what my scripts file looks like:

fw_custom_after_finished() {
    # these are the rules to be loaded after the firewall is fully configured
    iptables -I INPUT -d 192.168.16.18
    iptables -I OUTPUT -s 192.168.16.18
    echo $(date) >> /tmp/iptables-custom.txt
    true
}

NOTE: I also tried the same procedure above when removing the FW_CUSTOMRULES from /etc/sysconfig/SuSEfirewall2 and leaving it only in /sbin/SuSEfirewall2 and got the same results - debug file is created with two date entries, and no custom rules are loaded with the same messages seen in /var/log/messages.

Did you notice if they are actually being loaded though, because after updating the variable FW_CUSTOMRULES in the /sbin/SuSEfirewall2 file, I can see them getting called as well but not loaded. In fact, I don’t even need to have that variable defined in /etc/sysconfig/SuSEfirewall2 for them to get called anymrre, but I’ve left it in there, just in case…

You can check the output of

iptables -L INPUT and iptables -L OUTPUT

to verify if the rules have been loaded.

Without the rules loaded, it looks like this on my machines:

**for rules in INPUT OUTPUT; do iptables -L ${rules}; done**
**Chain INPUT (policy DROP)**
*target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere            *
**Chain OUTPUT (policy ACCEPT)**
*target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere*

But after I load the rules manually it looks like this (correct):

for rules in INPUT OUTPUT; do iptables -L ${rules}; done
**Chain INPUT (policy DROP)**
*target     prot opt source               destination         
**           all  --  anywhere             indigenis.site.local **
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere            *
**Chain OUTPUT (policy ACCEPT)**
*target     prot opt source               destination         
**           all  --  indigenis.site.local  anywhere            **
ACCEPT     all  --  anywhere             anywhere*

It’s not where you put things I’ve learned!

Currently, in /etc/sysconfig/SuSEfirewall2 the FW_CUSTOMRULES variable is undefined (commented out!).
In /sbin/SuSEfirewall2 the FW_CUSTOMRULES variable is defined as FW_CUSTOMRULES=“/etc/sysconfig/scripts/SuSEfirewall2-custom”

Then, I moved the custom rules in /etc/sysconfig/scripts/SuSEfirewall2-custom:

**fw_custom_after_finished() **{
#    iptables -I INPUT -d 192.168.16.18
#    iptables -I OUTPUT -s 192.168.16.18
#    echo $(date) >> /tmp/iptables-custom.txt
    true
}

now moved to...

**fw_custom_after_chain_creation() **{
    iptables -I INPUT -d 192.168.16.18
    iptables -I OUTPUT -s 192.168.16.18
    echo $(date) >> /tmp/iptables-custom.txt
    true
}

Now /var/log/messages reports the following, and it’s true, my rules are now loading during startup:

Dec 20 11:57:21 prrd-fossgis SuSEfirewall2: Firewall rules set to CLOSE.
Dec 20 11:57:26 prrd-fossgis SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 20 11:57:26 prrd-fossgis SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom
Dec 20 11:57:26 prrd-fossgis SuSEfirewall2: Firewall rules successfully set
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_init[720]: Loading basic firewall rules WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_init[720]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_init[720]: last message repeated 2 times
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_init[720]: ..done
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_setup[906]: Loading firewall rules WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_setup[906]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_setup[906]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_setup[906]: WARNING: The NOTRACK target is obsolete. Use CT instead.
Dec 20 11:57:30 prrd-fossgis SuSEfirewall2_setup[906]: ..done
Dec 20 11:57:32 prrd-fossgis SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 20 11:57:32 prrd-fossgis SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom
Dec 20 11:57:32 prrd-fossgis SuSEfirewall2: Firewall rules successfully set 

So in summary, I only have to define the FW_CUSTOMRULES variable in the /sbin/SuSEfirewall2 file and also place the custom rules in /etc/sysconfig/scripts/SuSEfirewall2-custom as part of the **fw_custom_after_chain_creation() **function and NOT the fw_custom_after_finished() function.
It’s not needed to define the FW_CUSTOMRULES variable in the /etc/sysconfig/SuSEfirewall2 file.

Is that intended behaviour? Because YaST sysconfig can’t setup the FW_CUSTOMRULES variable correctly when it’s needed in the /sbin/SuSEfirewall2 file. It never touches that file so it’s left undefined and when it updates the /etc/sysconfig/SuSEfirewall2 file, that variable is ignored during boot.

Should I then place a bug report with YaST sysconfig module as the firewall is now working as expected?

On 2012-12-20 19:46, saultdon wrote:
>
> I got a little further.
>
> In the file /sbin/SuSEfirewall2 - I also had to define the variable
> FW_CUSTOMRULES:
> -FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"-
> It was actually blank with the value -FW_CUSTOMRULES=""-.

Yes, of course. I thought you did, I read incorrectly your post then.

> I should also mention that that FW_CUSTOMRULES value was initially set
> with the YaST sysconfig tool - so it doesn’t update the variable in the
> /sbin/SuSEfirewall2 file, only the /etc/sysconfig/SuSEfirewall2 file
> gets changed.

That’s another bug. I think that the variable got applied when running
SuSEconfig, but that script is being deprecated :frowning:

> But the rules don’t actually get loaded still… regardless of what is
> seen in /var/log/messages:

Oh :frowning:

> Here is what my scripts file looks like:
>
> Code:
> --------------------
> fw_custom_after_finished() {
> # these are the rules to be loaded after the firewall is fully configured
> iptables -I INPUT -d 192.168.16.18
> iptables -I OUTPUT -s 192.168.16.18
> echo $(date) >> /tmp/iptables-custom.txt
> true
> }
> --------------------
>

I suggest you also dump the output from those iptables commands to the
custom file, as a log. Add the verbose option. See if there is an error.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Try setting FW_USE_IPTABLES_BATCH to NO in /etc/sysconfig/SuSEfirewall2. Once I did that I was able to add the rules to
fw_custom_after_finished() in SuSEfirewall2-custom and it worked like it should.

I still have the same problem.

My servers had all the time these custom-rules set and that was working till openSuSE 12.1
Since i’ve updated, the rules get loaded and immediately after the loading all rules get removed.

Apr  9 15:16:04 xxxxxxx SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Apr  9 15:16:04 xxxxxxx SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom
Apr  9 15:16:04 xxxxxxx SuSEfirewall2: Firewall rules successfully set
Apr  9 15:16:04 xxxxxxx SuSEfirewall2_setup[4168]: Loading firewall rules ..done
Apr  9 15:16:05 xxxxxxx SuSEfirewall2: Firewall rules unloaded.
Apr  9 15:16:05 xxxxxxx SuSEfirewall2_setup[4378]: Unloading firewall rules..done

i’m calling a script in the custom-rules too (i’ve commented it out for the tests) which have an echo in itself so i see, that the custom-rules and my script runs at the boot but just when the script is finished (if i build in a sleep in my script the rules stay for exactly that time) the rules get unloaded completely. that leads to an absolutely disabled firewall cause of no rules are set anymore.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

i’ve tried ur solutions but since my rules are getting loaded i guess its another problem than :frowning:

my custom-rules looks that like (at the moment the rules are in the fw_custom_after_finished-section but it worked in all sections the same):

        # Creating Chains
        iptables -N SSH-CONNECTION
        iptables -N SSH-BLACKLIST


        # Managing connections with blacklisted ips
        iptables -A SSH-BLACKLIST -m recent --name SSH-BLACKLIST --set
        iptables -A SSH-BLACKLIST -j DROP


        # allow whitelisted ips the connection
        iptables -A SSH-CONNECTION -m recent --name SSH-WHITELIST --rcheck -j ACCEPT


        # adding xxxxxxxxxxx static IPs to Whitelist
        # whitelist -a xxx.xxx.xxx.xxx -t 10 -s 0
        # whitelist -a xxx.xxx.xxx.xxx -t 10 -s 0
        # adding xxxxxxxxxxx static IP to Whitelist
        # whitelist -a xxx.xxx.xxx.xxx -t 10 -s 0

        # reban allready blacklisted ips on try to connect again
        iptables -A SSH-CONNECTION -m recent --update --name SSH-BLACKLIST --seconds 600 --hitcount 1 -j DROP


        # Counter for several Blacklistingtypes which follows in next step
        iptables -A SSH-CONNECTION -m recent --set --name SSH-120-3
        iptables -A SSH-CONNECTION -m recent --set --name SSH-300-8
        iptables -A SSH-CONNECTION -m recent --set --name SSH-900-15
        iptables -A SSH-CONNECTION -m recent --set --name SSH-1800-20


        # Rules for blacklisting
        iptables -A SSH-CONNECTION -m recent --update --name SSH-120-3 --seconds 120 --hitcount 3 -j SSH-BLACKLIST
        iptables -A SSH-CONNECTION -m recent --update --name SSH-300-8 --seconds 300 --hitcount 8 -j SSH-BLACKLIST
        iptables -A SSH-CONNECTION -m recent --update --name SSH-900-15 --seconds 900 --hitcount 15 -j SSH-BLACKLIST
        iptables -A SSH-CONNECTION -m recent --update --name SSH-1800-20 --seconds 1800 --hitcount 20 -j SSH-BLACKLIST


        # enables that Chain for SSH-Connections
        iptables -A input_ext -p TCP --dport ssh -m conntrack --ctstate NEW -j SSH-CONNECTION

if i just restart SuSEfirewall2_setup by /etc/init.d/SuSEfirewall2_setup restart i get exactly the same result.

In a regular boot first SuSEfirewall2_init is running and after that the SuSEfirewall2_setup is unloading all rules and setting the yast-configured + custom-rules and than it gots unloaded again by SuSEfirewall2_setup.

well seems like, i solved it …

i just turned all custom-rules off one by one … after i turned them all of and rebooted … the firewall was working with the dummy settings

than i just turned them on one by one … firewall was working too :open_mouth:

but after reboot the system was behaving again the old way like :’(

than i tried out, wether it may have a problem with my scripts and yeah … after i only commented out the scripts and rebooted, all custom chains was working :wink:

the scripts doing whitelistings for internal ips. i tried to put the scripts to the very bottom so that they got called at last ones and now … for the moment … it seems to work. i also run the scripts immediately instead of starting a timer of 60 seconds to run the scripts after regular boot process.

so maybe just the whitelisting before of turning all chains on was the problem but i dont know really … maybe its just working temporally :sarcastic: