In Yast no zone assigned to interface in firewall - which firewall rules apply?

Hi again!

Title says everything, if somebody forgot to assign a zone in the firewall but uses the respective interface for all kinds of internet access (wifi), which firewall rules will opensuse apply for this interface in the meantime? :slight_smile:

Could not find it in the documentation…

Many thanks in advance

rasputin

I haven’t seen that,
So can only speculate the effect (In other words, don’t take my word. It’s easy to test).

If the SUSE FW is running,
Then you should have limited or no inbound connectivity.
You’ll still likely be able to initiate outbound connections, but if the type of connection requires a “callback” then it’d likely be blocked.

TSU

I’ve seen this before a few time, and maybe even reported a bug against
it, and I think the answer is “external”.

In fact, checking my newly-built 42.1 system it is behaving this way, with
the firewall rules applied to input_ext, and those applying, even though
my NICs have ‘No zone assigned’ per Yast. The official answer probably
comes via checking the ‘iptables’ or ‘iptables-save’ command output, which
is what I did.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Hi ab!

I have done more than a dozen opensuse installs (mostly 13.2) over the last year, the default on a fresh system is “no zone assigned” for all interfaces. So in one case we forgot to change to external, but I simply wanted to know what is the status of such a system, as nothing is in the documentation…

Many thanks for the answers!

raspu

Agreed, and I see it fairly regularly. Haven’t figured out why; maybe it
has to do with using static vs. DHCP addressing, or maybe something about
disabling IPv6 impacts things, or maybe it’s just bad luck. Either way, I
only noticed it as a technicality after years of it happening which is how
I found out “external” applied.

On 06/19/2016 12:56 AM, suse rasputin wrote:
>
> Hi ab!
>
> I have done more than a dozen opensuse installs (mostly 13.2) over the
> last year, the default on a fresh system is “no zone assigned” for all
> interfaces. So in one case we forgot to change to external, but I simply
> wanted to know what is the status of such a system, as nothing is in the
> documentation…
>
> Many thanks for the answers!
>
> raspu
>
>


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

I normally choose DHCP and “IPv4 only” for all interfaces during initial setup of opensuse while installing, might be related :slight_smile:

Am Sun, 19 Jun 2016 14:16:01 GMT
schrieb suse rasputin <suse_rasputin@no-mx.forums.microfocus.com>:

> I normally choose DHCP and “IPv4 only” for all interfaces during initial
> setup of opensuse while installing, might be related :slight_smile:
>
>

grep FW_DEV_EXT= /etc/sysconfig/SuSEfirewall2

FW_DEV_EXT=“eth0 wlan0”

Now let’s remove those definitions …

sed -i ‘s|FW_DEV_EXT=“eth0 wlan0”|FW_DEV_EXT=""|g’

grep FW_DEV_EXT= /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT=""

And now …

SuSEfirewall2 start

SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
SuSEfirewall2: using default zone ‘ext’ for interface eth0
SuSEfirewall2: using default zone ‘ext’ for interface wlan0
SuSEfirewall2: Firewall rules successfully set

AK

Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

On 06/19/2016 08:29 AM, AK wrote:
> Now let’s remove those definitions …
>
> # sed -i ‘s|FW_DEV_EXT=“eth0 wlan0”|FW_DEV_EXT=""|g’
>
> grep FW_DEV_EXT= /etc/sysconfig/SuSEfirewall2
> FW_DEV_EXT=""
>
> And now …
>
> # SuSEfirewall2 start
> SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
> SuSEfirewall2: using default zone ‘ext’ for interface eth0
> SuSEfirewall2: using default zone ‘ext’ for interface wlan0
> SuSEfirewall2: Firewall rules successfully set

Nicely analyzed.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

i also had a chance to take a look at this within the last couple days.

Apparently a LEAP install doesn’t automatically assign an interface to any FW zone (I should think this might be an installation bug).

I then installed VNC using the YAST Remote Administration applet which offered to open the VNC firewall port to all interfaces.

The result is that although SUSE FW still insists that all ports are blocked because the remote network interface hasn’t been assigned to a zone, the VNC port is opened and usable on all interfaces.

So, to answer the OP’s question…
If you don’t assign the network interface(s) to a FW zone, it <should> be completely closed to all networking.
But, that’s not necessarily true.
So, this raises some interesting and possibly serious questions about the SUSE FW configuration which should but does not necessarily report ip tables configuration accurately.

TSU

Create documentation request
https://bugzilla.opensuse.org/show_bug.cgi?id=989145

and commented on closed bug
https://bugzilla.opensuse.org/show_bug.cgi?id=931152

Please vote for one or the other (depending on which solution you prefer) in the priority and severity row.

  • JJ

Meanwhile, after reading the luke-warm things to close the bug, I think: It’s not a bug, it’s a feature, or, Ed? :wink:

Am Wed, 20 Jul 2016 19:36:01 GMT
schrieb suse rasputin <suse_rasputin@no-mx.forums.microfocus.com>:

> It’s not a bug, it’s a feature, or, Ed? :wink:

Premise:

SuSEfirewall2 is zone based, so it has to decide where to put an
interface if no zone is assigned.

Possible Choices:

  • Now you can not assign it to “Internal” (no blocking at all) and certainly not
    to “DMZ” (all incoming request will go there) as that would
    really pose a security risk.

  • Any custom zone is also not applicable, this leaves you only with the
    “External” zone and that one is normally the one with the strict rules.

  • Blocking all incoming requests is also not a good idea, as you then will get
    complaints like “I opened Services X, Y and Z and the f***in firewall still
    blocks it!1111”.

Conclusion:

Assigning to the external zone is the logical choice.

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

So far so good, absolutely correct. But read post #9, the display of firewall rules in Yast is then not correct. And this is where a considerable bug comes into play.

In my opinion… :wink: