Title says everything, if somebody forgot to assign a zone in the firewall but uses the respective interface for all kinds of internet access (wifi), which firewall rules will opensuse apply for this interface in the meantime?
I havenât seen that,
So can only speculate the effect (In other words, donât take my word. Itâs easy to test).
If the SUSE FW is running,
Then you should have limited or no inbound connectivity.
Youâll still likely be able to initiate outbound connections, but if the type of connection requires a âcallbackâ then itâd likely be blocked.
Iâve seen this before a few time, and maybe even reported a bug against
it, and I think the answer is âexternalâ.
In fact, checking my newly-built 42.1 system it is behaving this way, with
the firewall rules applied to input_ext, and those applying, even though
my NICs have âNo zone assignedâ per Yast. The official answer probably
comes via checking the âiptablesâ or âiptables-saveâ command output, which
is what I did.
â
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star belowâŚ
I have done more than a dozen opensuse installs (mostly 13.2) over the last year, the default on a fresh system is âno zone assignedâ for all interfaces. So in one case we forgot to change to external, but I simply wanted to know what is the status of such a system, as nothing is in the documentationâŚ
Agreed, and I see it fairly regularly. Havenât figured out why; maybe it
has to do with using static vs. DHCP addressing, or maybe something about
disabling IPv6 impacts things, or maybe itâs just bad luck. Either way, I
only noticed it as a technicality after years of it happening which is how
I found out âexternalâ applied.
On 06/19/2016 12:56 AM, suse rasputin wrote:
>
> Hi ab!
>
> I have done more than a dozen opensuse installs (mostly 13.2) over the
> last year, the default on a fresh system is âno zone assignedâ for all
> interfaces. So in one case we forgot to change to external, but I simply
> wanted to know what is the status of such a system, as nothing is in the
> documentationâŚ
>
> Many thanks for the answers!
>
> raspu
>
>
â
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star belowâŚ
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 âŚ
SuSEfirewall2: using default zone âextâ for interface eth0
SuSEfirewall2: using default zone âextâ for interface wlan0
SuSEfirewall2: Firewall rules successfully set
AK
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
On 06/19/2016 08:29 AM, AK wrote:
> Now letâs remove those definitions âŚ
>
> # sed -i âs|FW_DEV_EXT=âeth0 wlan0â|FW_DEV_EXT=""|gâ
>
> grep FW_DEV_EXT= /etc/sysconfig/SuSEfirewall2
> FW_DEV_EXT=""
>
> And now âŚ
>
> # SuSEfirewall2 start
> SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 âŚ
> SuSEfirewall2: using default zone âextâ for interface eth0
> SuSEfirewall2: using default zone âextâ for interface wlan0
> SuSEfirewall2: Firewall rules successfully set
Nicely analyzed.
â
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star belowâŚ
i also had a chance to take a look at this within the last couple days.
Apparently a LEAP install doesnât automatically assign an interface to any FW zone (I should think this might be an installation bug).
I then installed VNC using the YAST Remote Administration applet which offered to open the VNC firewall port to all interfaces.
The result is that although SUSE FW still insists that all ports are blocked because the remote network interface hasnât been assigned to a zone, the VNC port is opened and usable on all interfaces.
So, to answer the OPâs questionâŚ
If you donât assign the network interface(s) to a FW zone, it <should> be completely closed to all networking.
But, thatâs not necessarily true.
So, this raises some interesting and possibly serious questions about the SUSE FW configuration which should but does not necessarily report ip tables configuration accurately.
SuSEfirewall2 is zone based, so it has to decide where to put an
interface if no zone is assigned.
Possible Choices:
Now you can not assign it to âInternalâ (no blocking at all) and certainly not
to âDMZâ (all incoming request will go there) as that would
really pose a security risk.
Any custom zone is also not applicable, this leaves you only with the
âExternalâ zone and that one is normally the one with the strict rules.
Blocking all incoming requests is also not a good idea, as you then will get
complaints like âI opened Services X, Y and Z and the f***in firewall still
blocks it!1111â.
Conclusion:
Assigning to the external zone is the logical choice.
AK
â
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
So far so good, absolutely correct. But read post #9, the display of firewall rules in Yast is then not correct. And this is where a considerable bug comes into play.